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METHOD OF RECONSTRUCTING A SECRET, SHARED SECRET 
RECONSTRUCTION APPARATUS, AND SECRET RECONSTRUCTION SYSTEM 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a method of 
reconstructing secret information shared by a group of 
members, a shared secret reconstruction apparatus that can 
be used to carry out this method, and a secret 
reconstruction system that includes the shared secret 
reconstruction apparatus . 

2 . Description of the Related Art 

When important secret information, such as a secret key 
used for encrypting information to protect its security or 
secret information used for authentication, is stored, there 
is a risk that the secret information may be lost, destroyed, 
or stolen. One way of preventing the loss or destruction of 
secret information is to make and store copies of the 
information, but copying the secret information increases 
the risk that it may be stolen. Secret sharing provides a 
solution to this problem. In a secret sharing scheme, a 
secret sharing apparatus (a processor) encrypts the original 
secret information and thereby generates a plurality of 
secret shares, which are distributed to the participants in 
the secret sharing scheme. Each participant is a computing 
device comprising a processor and memory. When the secret 
information is needed, a secret reconstruction apparatus (a 
processor) collects shares from a necessary number of 
members and reconstructs (recovers) the secret information 
from the collected shares. 

One secret sharing scheme, referred to as Shamir's 
method, is the (k, n) threshold secret sharing scheme 
described in for example, Gendai Ango (Modern Codes) by 
Okamoto et al . , published by Sangyo Tosho. In this scheme, 
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the secret information is encrypted as n shares, where n is 
an integer equal to or greater than two, in such a way that 
the original secret information can be recovered from any k 
shares, where k is an integer equal to or less than n, but 
nothing can be found out about the original secret 
information from any set of fewer than k shares. 

This scheme makes use of polynomial interpolation. More 
specifically, the secret information is shared by using 
polynomials f (x) of degree k-1 having the form shown in 
the equation (1) below, in which S is the original secret 
information and Ri , R 2 , . . . , Rk-i are random numbers 
determined by the distributor. 

f(x) = S + Rix + R 2 x 2 + . . . +R k _ 1 x k " 1 (lT 

If the n members to whom shares will be distributed 
have member IDs m x , m 2 , . . . , m n , the share Xrrij (j = 1, 2,..., 
n) for the member with ID rrij (hereinafter, member ID_m-j) can 
be calculated from the above equation (1) as shown in the 
following equation (2) . 

Xrrij = f (rrij ) 

= S + Rim-j + R 2 (m j ) 2 + ...+ Rk-ifrrij)*" 1 (2) 

FIG. 1 illustrates the operation of a secret sharing 
operation unit 101 that carries out a secret sharing 
operation based on the (k, n) threshold secret sharing 
scheme. As shown in FIG. 1, the secret sharing operation 
unit 101 receives the original secret information S and the 
member IDs rrij ( j = 1 , 2 , . . . , n) of all members to whom shares 
of the secret information S will be distributed, generates a 
polynomial f (x) equivalent to the above equation (1) on the 
basis of the secret information S, and then generates and 
outputs the shares Xrrij corresponding to the member IDs nij by 
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using the above equation (2) . The output shares Xirij are 
secretly distributed to the members having the corresponding 
member IDs. 

When the original secret information S is reconstructed 
from the shares distributed to the members, any t (k < t ^ n) 
members of the n members are collected, their member IDs m\ , 
m' 2 , . . . , m' t and shares Xm'i, Xm' 2 , . . . , Xm' t are gathered, and 
the secret information S is computed using the following 
equations (3) and (4) . 

S = rm'iXm'i + rm^Xm^ + . . . + rm'tXm't 



When the original secret information S is reconstructed 
by the method described above, however, the secret 
information S cannot be computed without revealing the 
member IDs m'i , m'2 , - . . , m'^ and shares Xm'i , Xm'2 ^ • - • / Xm't of 
the collected members. Even if there is a trustworthy 
central secret reconstruction facility that carries out the 
reconstruction of secret information, the secret information 
S cannot be computed without providing that central facility 
with the collected member IDs m'i, m' 2 ,..., m' t and shares Xm'i , 
Xm' 2 , . . . , Xm f t . That is, the conventional method is unable to 
compute the secret information S while the collected members 
remain anonymous . 

If there is no such central secret reconstruction 




(3) 



j=l 



rm'j = (m'i x m' 2 x. . .x m f t /m'j) 

/ ( (m'i ~ m'j) x (m' 2 - m'j) x...x (m'j_i -m'j) x 
(m' j+1 - m'j) x...x ( m ' t - m'j)) 




(4) 
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facility, the secret information S cannot be obtained unless 
the shares Xm'i , Xm' 2 , . . . , Xm' t held by the collected members 
are revealed to a possibly non-trustworthy party. That is, 
once the original secret information is reconstructed, the 
shares distributed to the members have been compromised and 
cannot be reused. It is then necessary to repeat the process 
of sharing the secret information. 

SUMMARY OF THE INVENTION 

An object of the present invention is to provide a 
method of reconstructing secret information from shares held 
by a group of members , in which the members can remain 
anonymous and no member has to reveal the shares it holds . 

Another object of the invention is to provide a shared 
secret reconstruction apparatus with which the invented 
method can be carried out. 

Still another object is to provide a secret 
reconstruction system including the above shared secret 
reconstruction apparatus . 

In the invented method of reconstructing secret 
information, a secret sharing scheme is used to generate n 
first shares from the secret information (2 < n) in such a 
way that, after the first shares are distributed to a group 
having n members, the original secret information can be 
reconstructed by a collection of any t members (2 < t < n) . 
Each of the t members uses the secret sharing scheme to 
generate t second shares from its first share, and 
distributes the t second shares to the t collected members. 
Each of the t collected members then performs part of a 
distributed computation by using a second share it generated 
itself and t - 1 second shares received from the other 
collected members to generate an intermediate result. The 
original secret information is reconstructed from the t 
intermediate results generated by the t collected members. 



4 



F02RL0124 



The original secret information can be reconstructed in 
this way without forcing the members to reveal their first 
shares or their member IDs. 

BRIEF DESCRIPTION OF THE DRAWINGS 
In the attached drawings : 

FIG. 1 illustrates the basic structure of a (k, n) 
threshold secret sharing scheme; 

FIG. 2 illustrates a structure for carrying out the 
secret sharing scheme in a first embodiment of the 
invention ; 

FIG. 3 illustrates members and secure channels in the 
first embodiment; 

FIG. 4 is a drawing depicting a secret reconstruction 
method according to the first embodiment of the invention; 

FIG. 5 is a block diagram of a secret reconstruction 
system for carrying out the secret reconstruction method in 
the first embodiment; 

FIG. 6 is a block diagram illustrating the structure of 
the distributed secret reconstruction operation unit in FIG. 
5; 

FIG. 7 is a flowchart illustrating the secret 
reconstruction method according to the first embodiment; 

FIG. 8 is a block diagram of a secret reconstruction 
system for carrying out secret reconstruction in a second 
embodiment of the invention; 

FIG. 9 is a block diagram illustrating the structure of 
the distributed secret reconstruction operation unit in FIG. 
8; 

FIG. 10 is a flowchart illustrating the secret 
reconstruction method according to the second embodiment; 

FIG. 11 is a drawing to depicting a secret 
reconstruction method according to a third embodiment of the 
invention ; 
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FIG. 12 is a block diagram of a secret reconstruction 
system for carrying out secret reconstruction in the third 
embodiment ; 

FIG. 13 is a block diagram illustrating the structure 
of the distributed secret reconstruction operation unit in 
FIG. 12; 

FIG. 14 is a block diagram illustrating the structure 
of the distributed processor in FIG. 13; 

FIG. 15 is a block diagram illustrating the structure 
of the term calculation unit in FIG. 14; 

FIG. 16 is a block diagram illustrating the structure 
of a distributed multiplication unit in FIG. 15; 

FIG. 17 is a block diagram illustrating the structure 
of another distributed multiplication unit in FIG. 15; 

FIG. 18 is a block diagram illustrating the structure 
of the distributed inverse element calculation unit in FIG. 
15; 

FIG. 19 is a flowchart illustrating the secret 
reconstruction method according to the third embodiment; 

FIG. 20 is a block diagram illustrating the structure 
of a distributed multiplication unit used in a fourth 
embodiment of the invention; 

FIG. 21 is a block diagram illustrating the structure 
of the ij-term calculation unit in FIG. 20; 

FIG. 22 is a block diagram illustrating the structure 
of the term operation receiver in FIG. 21; 

FIG. 23 is a block diagram illustrating the structure 
of the term operation transmitter in FIG. 21; 

FIGs. 24A and 24B constitute a block diagram 
illustrating the structure of a distributed inverse element 
calculation unit used in a secret reconstruction method 
according to a fifth embodiment of the invention; 

FIG. 25 is a block diagram illustrating the structure 
of a term calculation unit in a modification of the third 
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embodiment; 

FIG. 26 is a block diagram illustrating the structure 
of an ij-term calculation unit in a modification of the 
fourth embodiment; and 

FIGs. 27A and 27B constitute a block diagram 
illustrating the structure of a distributed inverse element 
calculation unit in a modification of the fifth embodiment. 

DETAILED DESCRIPTION OF THE INVENTION 

Embodiments of the invention will now be described with 
reference to the attached drawings, in which like elements 
are indicated by like reference characters. 

First Embodiment 
General Description 

In the first embodiment, secret information S is 
reconstructed from shares held by a plurality of members by 
executing a multiparty protocol in which the members do not 
reveal their shares. The reconstruction process is carried 
out by a secret reconstruction system comprising a plurality 
of distributed secret reconstruction operation units 
operated by the members and a secret reconstruction 
operation unit operated by one or more of the members or by 
a central facility. The members are typically computing 
devices with computing and memory facilities. 

Multiparty Protocol 

A general description of a multiparty protocol will now 
be given. A multiparty protocol, also referred to (in the 
reference cited above, for example) as a distributed 
computation, is a scheme in which a collection of members 
cooperatively compute a mathematical function without 
revealing the values they input to the function. There are 
two main types of multiparty protocols. In the first type, 
any two of the collected members have a secure channel over 
which they can communicate without revealing the content of 
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their communication to any of the other members. In the 
second type, there is also an oblivious transfer channel. In 
the reference cited above, the second type of multiparty 
protocol is carried out by binary operations (NOT and AND) . 
Further details on the second type of multiparty protocol 
will be given in the description of the fourth embodiment. 

A multiparty protocol of the first type in which finite 
field elements are added and multiplied will be described 
here. It will be assumed that the multiparty protocol is 
executed by t members holding member IDs mj (j = 1, 2,..., t) 
and respective secret information Xnij (j = 1, 2,..., t) , to 
compute the value Y of the mathematical function f in the 
following equation (5) . 

Y = f(Xm lf Xm 2 ,..., Xm t ) (5) 

In this computation, the values of the member IDs mj and 
secret information Xnij (j = 1, 2,..., t) are selected from a 
finite (Galois) field GF (q) , where q is a prime number or a 
power of a prime number. The computation of the mathematical 
function f in the above equation (5) is also carried out in 
the finite field GF (q) , so the function value Y is an 
element in the finite field GF (q) . 

In the multiparty protocol , to compute the function 
value Y without revealing the secret information Xrrij (j = 1, 
2,..., t) held by each member, shares are generated from the 
secret information Xnij (j = 1, 2,..., t) by using a (k, t) 
threshold secret sharing scheme, and these shares are 
distributed to the members. If the member having member ID 
mj holds the secret information Xnij , the member generates 
polynomials firij (x) of degree k - 1 (k < t) having the form 
shown in the following equation (6) : 

2 k— 1 

frrij (x) = Xmj + Rm jf ix + Rm j/2 X +-.-+ Rnij f k-iX (6) 
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where Rmj,i, Ritij f2 r • • • / Rmj,k-i are k-1 random elements 
selected from the finite field GF (q) . 

When shares are generated from the secret information 
Xmj by using the secret sharing scheme, the share Xmj rP that 
will be distributed to the member having member ID m p can be 
calculated using the above equation (6) , as shown in the 
following equation (7) . 

Xmj f p = frtij (m p ) 

= Xmj + Rmj,i(m p ) + Rm jf2 (™ p ) 2 + ...+ Rrcij , k _i (m p ) k_1 

This share Xmj fP is distributed to the member having 
member ID m p through a secure channel so that the share Xnij /P 
is kept secret from the other members . 

The additions and multiplications in the above 
equations (6) and (7) are carried out in the finite field 
GF (q) . Accordingly , the resulting shares Xirij #p (j = 1, 2,..., 
t; p = 1, 2,..., t) are also values in the finite field 
GF (q) . In the descriptions below, all computations will be 
carried out in the finite field GF (q) unless otherwise 
stated . 

As a result of the process described above, each member 
holds a share Xmj #p of the secret information Xmj. After all 
t members have carried out this process, the member having 
member ID mj holds t shares (Xm^j, Xm 2 ,j,..., Xm tr j) including 
shares distributed by the other members and one share of its 
own secret information. 

Shared addition in the multiparty protocol will now be 
described. As an example, it will be assumed that the above 
equation (5) has a form in which two inputs Xm A and Xm B are 
added, as in the following equation (8) . 
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Y = f(Xmi, Xm 2f Xm t ) = Xm A + Xm B (8) 

In this multiparty protocol, each member obtains a 
share Ymj ( j = 1 , 2 , . . . , t) of the computational result Y by 
adding its two shares of the inputs Xm A and Xm B . More 
specif ically, since the member having member ID rrij has shares 
Xm Af j and Xm B ,j of the inputs Xm A and Xm B , this member obtains 
a share Ymj of the computational result Y by the following 
equation (9) . 

Ymj = Xm A ,j + Xm B ,j (9) 

Distributed multiplication in the multiparty protocol 
will be described next. It will now be assumed, for the sake 
of an example, that the mathematical function given by the 
above equation (5) has a form in which two inputs Xm A and Xm B 
are multiplied as in the following equation (10) . 

Y = f (Xm x , Xm 2 , . . . , Xm t ) = Xm A x Xm B (10) 

In this case, in the multiparty protocol, each member 
carries out the following steps S101 to S103. In the first 
step S101, the member multiplies its two shares of the 
inputs Xm A and Xm B together. In the following step S102, 
shares are generated from the multiplication result and are 
distributed to the members. In the last step S103, each 
member reconstructs a share Ymj (j = 1, 2,..., t) of the 
computational result Y from the received shares. In a 
distributed multiplication in the first type of multiparty 
protocol, it is necessary for the threshold k of the secret 
sharing scheme to satisfy the condition given by the 
following equation (11) . 



k < (t + 1) /2 



(11) 
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The condition in the above equation (11) is computed 
with normal integers and fractions in the real number field, 
not in the finite field GF (q) . If the member having member 
ID mj holds shares Xm A ,j and Xm B ,j of the respective inputs 
Xm A and Xm B , first the calculation in the following equation 
(12) is carried out to obtain an intermediate result Y'nij , 
which corresponds to the above step S101. 

Y'rrij = Xm A ,j x Xm B ,j (12) 

Next, this intermediate result Y'nij is shared by using a 
polynomial as shown in the following equation (13) , which 
corresponds to the above step S102: 

f'rrij (x) = Y'rrij + R'nij,ix + R'rrij, 2 x 2 + ...+ R'm-j^-ix*" 1 (13) 

where, R'm-^i, R'rrij f2 ,..., R'rnj,k-i are k-1 random elements 
selected from the finite field GF (q) . 

The share Y'rrij /P of the intermediate result Y'nij , which 
is distributed to the member having member ID m p (p = 1, 
2, . . . , t) , is calculated using the above equation (13) as 
shown in the following equation (14) . 

Y'rrij rP = f'nij (m p ) 

= Y'rrij + R'mj # i(m p ) + R'mj /2 (r%>) +...+ R'm j>k _i(m p ) 

(14) 

This share is distributed to the member having member ID m p 
(p = 1, 2,..., t) through a secure channel and remains 
secret from the other members. As a result of the operations 
in the above equation (14) , the member having member ID mj 
receives the t shares Y'mi^j , Y'm 2 ,j , - . . , Y'm t ,j . 

The member having member ID mj computes a share Ynij of 
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the multiplication result Y from these shares Y'm^j, 
Y'm 2 ,j,..., Y'm t ,j as shown in the following equations (15) and 
(16) . 



Yrrij = rmiY'mi f j + rm 2 Y'm 2r j + ...+ rm n Ym nf j 
t 

= ^rm i rm iJ (15) 



ririj = (mi x m 2 x . . . x m-^/mj) 

/((mi - mj ) x (m 2 - rrij ) x...x (mj_i -m j ) x 
(mj + i - nij ) x . . . x (m t - m j ) ) 
t 

= fl m± / (mi - mj) (16) 
i=l 
i*j 

This computation, which corresponds to the above step 
S103, is similar to the computation for reconstructing the 
secret information described in equation (3) . 

As described above, in a multiparty protocol, any two 
of the members have a secure channel over which they can 
communicate without revealing the content of their 
communication to any of the other members. The members 
generate shares of their secret information Xmj , use the 
secure channels to distribute the shares to other members, 
and then use the shares they receive from other members (and 
shares they retain themselves) to calculate shares of the 
value of a mathematical function of the secret information 
Xmj . The value of the function can then be calculated from 
these without revealing the secret information Xmj . 

Structure of the First Embodiment 

In the first embodiment, the original secret 
information S is shared by using a secret sharing scheme 
with simple addition and subtraction operations instead of 
the (k, n) threshold secret sharing scheme, and the 
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generated shares are secretly distributed to a group 
comprising a plurality of members (e.g., devices with 
computing and memory facilities) . The secret sharing scheme 
is used as shown in FIG. 2, which illustrates the operation 
of a secret sharing operation unit 201 that executes the 
secret sharing scheme. The secret sharing operation unit 201 
operates differently from the conventional secret sharing 
operation unit 101, as will be described below. In the 
following descriptions, the original secret information 
input to the secret sharing operation unit 201 is denoted S, 
which is an element in the finite field GF(q), and the 
number of members holding the distributed shares is denoted 
n. First, n - 1 random elements X x , X 2 , . . . , X n _i are selected 
from the finite field GF (q) by the secret sharing operation 
unit 201. Next, an n-th element X n of the finite field GF (q) 
is obtained by the following equation (17) . 

X n = S - (Xi + X 2 + ...+ X n -x) (17) 



The computation of the above equation (17) is carried 
out in the finite field GF (q) , as are all computations in 
the descriptions below, unless otherwise stated. The secret 
sharing operation unit 201 outputs the values X3. , X 2 , - . . , X n 
including the value obtained from the above equation (17) , 
and distributes each of the values to a different member as 
its share of the secret information S. Some of the values Xi , 
X 2 , . . . , X n may be equal . 

When the original secret information S is shared by 
using the secret sharing scheme as described above, the 
secret information S cannot be reconstructed unless all n 
members holding the distributed shares are collected. The 
secret information S can then be reconstructed by the 
following equation (18) . 
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S = Xx + X 2 + . . .+ X n (18) 

The secret sharing scheme described above will be 
referred to below as the 'summation secret sharing scheme'. 
In the first embodiment, shares that are generated by using 
the summation secret sharing scheme described above are 
distributed to members, who hold the distributed shares in 
secret. When the original secret information S is needed, 
although it could be reconstructed by the above equation 
(18) , in the secret reconstruction method according to the 
first embodiment, the secret information S is reconstructed 
without revealing the shares held in secret by the collected 
members by using a multiparty protocol . 

In the first embodiment, the shares generated from the 
original secret information S by using the secret sharing 
scheme described above (using equation (17) above) are 
secretly distributed to the members of the group as first 
shares. Assuming that there are n members in the group, the 
first shares are denoted Xj (j = 1, 2, . . . , n) . 

In the first embodiment, all n members are collected to 
reconstruct the secret information S. Any two of the members 
have a secure channel over which they can communicate 
without revealing the content of their communication to any 
of the other members. FIG. 3 illustrates secure channels 303 
used for communication between the members in the first 
embodiment. In FIG. 3, the rectangular boxes indicate the 
collected members, the symbols m'i , m' 2 , . . - , m' j , . . . , m' t 
indicate the member IDs, and the bi-directional arrows 
indicate the secure channels 303 over which any two of the 
members can communicate without revealing the content of 
their communication to any of the other members. 

The secret reconstruction method according to the first 
embodiment will be outlined below with reference to FIG. 4. 
FIG. 4 illustrates a case in which there are three members 
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holding respective shares A, B, and C generated from the 
original secret information S by using the summation secret 
sharing scheme. When the original secret information S is 
reconstructed, the first shares A, B, C held by the members 
are further shared by using the summation secret sharing 
scheme to generate second shares from shares A, B, C. More 
specifically, as indicated by the circled reference numeral 
1 in FIG. 4, shares A 1 , A 2 , A 3 are generated from share A, 
shares Bi , B 2 , B 3 from share B, and shares C lf C 2 , C 3 from 
share C. Subsequently, as indicated by the circled reference 
numeral 2, the second shares generated from shares A, B, C 
are distributed to the other members . Each member receives 
shares of share A, B, C, i.e., shares Ai , Bi, Ci, shares A 2 , 
B 2 , C 2 , or shares A 3 , B 3 , C 3 . The member carries out its part 
of a distributed computation on the basis of these shares 
and outputs the result as indicated by the circled reference 
numeral 3. Finally, as indicated by the circled reference 
numeral 4, the original secret information S is 
reconstructed by collecting the results of the distributed 
computations carried out using shares Ai , Bi, Ci, shares A 2 , 
B 2 , C 2 , and shares A 3 , B 3 , C 3 , instead of using shares A, B, 
and C directly. 

FIG. 5 is a block diagram illustrating a structure 
embodying the method of reconstructing secret information 
according to the first embodiment (a secret reconstruction 
system according to the first embodiment) . The secret 
reconstruction method according to the first embodiment will 
be described with reference to FIG. 5. As shown in FIG. 5, 
each of the n collected members (n devices with computing 
and memory facilities) has a distributed secret 
reconstruction operation unit (DIST OP UNIT) 301 (301-1, 
301-2, . . . , 301-n) , which corresponds to shared secret 
reconstruction apparatus according to the first embodiment 
and carries out an operation leading to the reconstruction 
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of the secret information. Reference numeral 301-j (j = 1, 
2,..., n) indicates the distributed secret reconstruction 
operation unit 301 provided in member j . The distributed 
secret reconstruction operation unit 301-j (j = 1, 2,..., n) 
in member j is connected to the distributed secret 
reconstruction operation units 301 in the other members 
through secure channels 303 similar to the ones shown in FIG. 
3. The outputs from the distributed secret reconstruction 
operation units 301-j (j = 1, 2,..., n) obtained from the 
members are input as intermediate results to a secret 
reconstruction operation unit 302. 

The secret reconstruction operation unit 302 receives 
the n intermediate results output from the members ' 
distributed secret reconstruction operation units 301-j (j = 
1, 2,..., n) , uses them to reconstruct the secret 
information, and outputs the reconstructed secret 
information. If the intermediate results output from the 
members' distributed secret reconstruction operation units 
301-j (j = 1, 2,..., n) are denoted Sj (j = 1, 2,..., n) , the 
original secret information S can be obtained from the 
following equation (19) . 

S = Si + S 2 +. . .+ S n 
n 

= 2>j (19) 
j=l 

The computation of the above equation (19) is carried 
out in the finite field GF (q) . 

Each of the distributed secret reconstruction operation 
units 301-j (j = 1, 2,..., n) is operated by a different 
member, and the content of the operation is not revealed to 
the other members. The secret reconstruction operation unit 
302 may be operated by a central facility (a processor 
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separate from the members) that is specialized for this 
operation, or may be operated by one or a plurality of the 
collected members. It is preferable for the secret 
reconstruction operation unit 302 to be operated by the 
member or members who need the secret information S. 

FIG. 6 is a block diagram illustrating the structure of 
the distributed secret reconstruction operation unit 301-j 
(j = 1, 2 , . . n) in FIG. 5. The distributed secret 
reconstruction operation unit 301-j will be described with 
reference to FIG. 6. As shown in FIG. 6, the distributed 
secret reconstruction operation unit 301-j comprises a 
secret sharing operation unit 401-j having one input and n 
outputs, and an n-term adder 402- j having n inputs and one 
output. One of the outputs (Xj f j) from the secret sharing 
operation unit 401-j is input to the n-term adder 402-j . The 
output of the n-term adder 402-j becomes the intermediate 
result output by the distributed secret reconstruction 
operation unit 301-j . 

A share Xj of the original secret information S, which 
is held by a member j , is input to the secret sharing 
operation unit 401-j . Second shares are generated from the 
share Xj input to the secret sharing operation unit 401-j by 
using the summation secret sharing scheme, and are 
distributed via the secure channels 303 that communicate 
with the other members. The shares Xj, n of share Xj are 
obtained by selecting n - 1 random elements from the finite 
field GF(q) as shares Xj,i, Xj, 2 /--w x j,n-i and then 
calculating share Xj, n by the following equation (20). 

X j/n = Xj - (Xj #1 + X jr2 +...+ X j#n -!) (20) 

Among these shares Xj #1 , Xj, 2 ,--w x j,n/ member j's own 
share X jrj is output to the n-term adder 402-j and the other 
shares Xj , p (p = 1 , 2,...,n, p*j) are distributed through 
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the secure channels 303 to the other members. 

The n-term adder 402-j thus receives the share Xj,j of 
the share Xj of the original secret information from the 
secret sharing operation unit 401-j . In addition, the n-term 
adder 402-j receives the shares Xi,j,..., x j+i,j/-«-/ 
X n ,j of the shares X p (p = 1, 2,..., n, p * j) of the 
original secret information S f which are distributed from 
the other members via the secure channels 303. Using these n 
second shares X P/ j (p = 1 , 2,..., n) of the first shares of 
the original secret information S, a third share Sj of the 
original secret information S is computed and output as an 
intermediate result. It should be noted here that the share 
Sj which is used when the secret information S is 
reconstructed differs from the share Xj which is obtained 
when the secret information S is shared. The n-term adder 
402-j carries out the computation shown in the following 
equation (21) and outputs the share Sj of the secret 
information S. 

Sj = Xi,j + X 2 ,j +.-.+ X n ,j 



FIG. 7 is a flow chart showing the operation of the 
secret reconstruction method according to the first 
embodiment. To reconstruct the original secret information S, 
all members (n members) are collected. The first shares held 
by the collected members will again be denoted Xi, X2,..., X n . 

First, second shares are generated from each of the 
shares Xi , X 2 , . . . , X n held by the n members by using the 
summation secret sharing scheme and are distributed to the 
members (step S501) . Step S501 indicates the operation of 
the secret sharing operation unit 401-j in FIG. 6, in which 




(21) 



p=l 



Operation of the First Embodiment 
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second shares Xj /P (p = 1, 2,..., n) are obtained from the 
first share Xj by generating random elements and performing 
the calculation in the above equation (20) , and the second 
shares are distributed to the members. 

Next, each member carries out the computation using 
the second share Xj,j it generated itself and the second 
shares X P/ j (p = 1, 2,..., n , p^j) it received from the 
other members to obtain a share Sj of the original secret 
information S (step S502) as an intermediate result. Step 
S502 indicates the operation of the n-term adder 402-j in 
FIG. 6, in which a member j carries out the computation in 
the above equation (21) on the second shares X P/ j (p = 1, 
2 , . . . , n) to obtain the intermediate result Sj . 

Next, the original secret information S is 
reconstructed from the intermediate results Sj computed by 
the members in step S502 (step S503) . This operation is 
carried out by the secret reconstruction operation unit 302 
in FIG. 5. The original secret information S is obtained 
from the intermediate results Sj (j =1, 2,..., n) computed 
by the members j , using the above equation (19) . 

Effects of the First Embodiment 

As described above, according to the first embodiment, 
the original secret information S can be reconstructed 
without revealing the shares Xj held secretly by the 
collected members to any other member or any third party. 
Accordingly, the shares Xj held by the members can be reused 
the next time the secret information is reconstructed. In 
addition, these effects can be obtained without the need for 
a central secret reconstruction facility. In the first 
embodiment, although the original secret information S 
cannot be reconstructed without collecting all members 
holding shares Xj , the members can remain anonymous and in 
addition the amounts of both computation and communication 
can be reduced because it suffices for the members to 
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communicate with each other only once to distribute the 
second shares when the secret information is reconstructed. 

Further, if a member (a device with computing and 
memory facilities) not holding a share Xj of the secret 
information S tries to participate in the reconstruction of 
the secret information S, the reconstruction will fail. 
Therefore, the first embodiment provides an authentication 
scheme that can determine whether all members in a group 
comprising a plurality of collected members are valid 
members or not, thereby determining whether they are the 
members to whom the shares Xj of the secret information S 
were previously distributed or not. Furthermore, in the 
first embodiment, since the shares Xj are reusable as 
described above, the authentication scheme can be used 
repeatedly without updating the shares Xj of the secret 
information S. The authentication scheme is also very robust 
under attack by an attacker who pretends to be a member by 
wiretapping. The authentication scheme described above has 
features that cannot be achieved by simply combining the 
secret reconstruction features of the secret sharing scheme 
and the shared operation features of the multiparty protocol . 
The above authentication scheme makes use of the original 
secret information S as registered information that is 
compared with the reconstruction result to decide if the 
authentication is valid or not, so it is not necessary for 
the original secret information S to be kept secret from the 
members . 

Second Embodiment 
General Description 
In the second embodiment, as in the first embodiment, 
secret information S is reconstructed from shares held by a 
plurality of members by executing a multiparty protocol in 
which the members do not reveal their shares. The 
reconstruction process is carried out by a secret 
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reconstruction system comprising a plurality of distributed 
secret reconstruction operation units operated by the 
members and a secret reconstruction operation unit operated 
by one or more of the members or by a central facility. 

In the first embodiment , shares of the secret 
information S are generated by using the summation secret 
sharing scheme and secretly distributed to a group of 
members , all of whom must cooperate in order to reconstruct 
the original secret information S. In contrast, in the 
second embodiment, shares of the original secret information 
S are generated by using the (k, n) threshold secret sharing 
scheme and secretly distributed to a group of members. The 
original secret information S can be reconstructed by k 
members (k ^ n) , so participation of all n members in the 
reconstruction process is not necessarily required. 

When the original secret information S is reconstructed, 
the shares held by t collected members (t ^ k) are used to 
reconstruct the original secret information S by the method 
of equation (3) , except that the original secret information 
is reconstructed by using a multiparty protocol, without 
revealing the shares held secretly by the collected members. 
Structure of the Second Embodiment 
In the second embodiment, shares of the original secret 
information S are generated by using the (k, n) threshold 
secret sharing scheme, and the shares are secretly 
distributed to a group of n members (devices with computing 
and memory facilities) . The n members in the group have 
member IDs denoted mi, m 2 , . . . , m n , which are used when the 
secret information S is shared. The share of the secret 
information S distributed to the member having member ID rrij 
( j = 1 , 2 , . . . , n) , is denoted Xrrij ( j = 1 , 2 , . . . , n) . When t 
members (t ^ k) are collected to reconstruct the original 
secret information S, the member IDs and shares held by the 
collected members are denoted m'i, m' 2 , . . . , m' t , and Xm'i , 



21 



F02RL0124 

♦ 

Xm f 2,...# Xm' t , respectively. Any two of the collected 
members have a secure channel similar to the one in FIG. 3, 
over which they can communicate without revealing the 
content of their communication to any of the other members . 
It will be assumed that the member IDs m' lf m r 2 , . . . , m' t given 
to the t collected members are revealed values. 

FIG. 8 is a block diagram illustrating a structure 
embodying the method of reconstructing secret information 
according to the second embodiment (a secret reconstruction 
system according to the second embodiment) . The secret 
reconstruction method of the second embodiment will be 
described with reference to FIG. 8. As shown in FIG. 8, the 
t collected members (t devices with computing and memory 
facilities) having the member IDs m'i, m'2 , . . - , m' t possess 
distributed secret reconstruction operation units 601-1, 
601-2,..., 601-t (shared secret reconstruction apparatus 
according to the second embodiment) , which are means for 
reconstructing the secret information by a sharing operation 
The distributed secret reconstruction operation unit 601-j 
(j =1, 2,..., t) is operated by the member having member ID 
m'j . Each distributed secret reconstruction operation unit 
601-j (j = 1, 2,..., t) is connected to the other 
distributed secret reconstruction operation units 601 
through secure channels 303 similar to the ones shown in FIG 
3. The output from each distributed secret reconstruction 
operation unit 601-j (j = 1, 2,..., t) is input to a secret 
reconstruction operation unit 602. The structure and 
operation of the distributed secret reconstruction operation 
units 601 and secret reconstruction operation unit 602 
differ from those of the distributed secret reconstruction 
operation units 301 and secret reconstruction operation unit 
302 in the first embodiment. 

The secret reconstruction operation unit 602 receives 
the t values output from the members' distributed secret 
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reconstruction operation units 601-j (j = 1, 2,..., t) , uses 
them as t shares to reconstruct the secret information, and 
outputs the reconstructed secret information. If the values 
output from the members' distributed secret reconstruction 
operation units 601-j (j = 1, 2,..., t) are denoted Sm' j , the 
original secret information S can be obtained from the 
following equations (22) and (4) , equation (22) being 
obtained by replacing Xm'j in equation (3) with Sm'j . 

S = rm'iSm'i + rm' 2 Sm' 2 + ...+ rm' t Sm' t 

= 2 rm ' 3Sm ' j (22) 
j=l 

rm'j = (rn'i x m'2 x . . . x m't/m'j) 

/ ( (rn'i - m'j) x (m' 2 - m'j ) x...x (m'j_i -m' j ) x 
(m' j+1 - m'j) x._x (m' t - m'j)) 
t 

= ]^[ m 1 i / (m 1 i - m' j) (4) 
i=l 



The computation of the above equation (22) is carried out in 
a finite field GF (q) , as noted above. 

Each of the distributed secret reconstruction operation 
units 601-j (j = 1, 2,..., t) is operated by a different 
member, and the content of the operation is not revealed to 
the other members . The secret reconstruction operation unit 
602 may be operated by a central facility (a processor 
separate from the members) that is specialized for this 
operation, or by one or more of the collected members, 
preferably by the member or members who need the secret 
information S. 

FIG. 9 is a block diagram illustrating the structure of 
the distributed secret reconstruction operation unit 601-j 
( j = 1 , 2 , . . . , t) in FIG. 8. The distributed secret 
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reconstruction operation unit 601-j will be described with 
reference to FIG. 9. As shown in FIG. 9, the distributed 
secret reconstruction operation unit 601-j comprises a 
secret sharing operation unit 701-j and a linear combination 
operation unit 702-j . One of the outputs from the secret 
sharing operation unit 701-j is input to the linear 
combination operation unit 702-j . The output of the linear 
combination operation unit 7 02-j becomes the intermediate 
result output by the distributed secret reconstruction 
operation unit 601-j . 

The share Xm'j of the original secret information S held 
by the member having member ID m'j , is input to the secret 
sharing operation unit 701-j . The secret sharing operation 
unit 701-j generates shares from the share Xm'j by using the 
(k', t) threshold secret sharing scheme, where k' is equal to 
or less than t, and distributes them to the other members 
through the secure channels 303. In this sharing operation, 
polynomials of degree k f - 1 are generated by replacing nij 
and k in the above equation (6) with m'j and k', respectively, 
as shown in the following equation (23) . 

fm'j (x) = Xm'j + Rm'j,ix + Rm'j, 2 x +-..+ Rm'j rk '_iX 

(23) 

In this equation, Rm'j rl , Rm'j f2 ,..., Rrn'j,k'-i are k' - 1 random 
elements selected from the finite field GF (q) . 

The share Xm'j /P that will be distributed to the member 
having member ID m' p (p = 1, 2,..., t) can be calculated 
using the above equation (23) , as shown in the following 
equation (2 4) (see the above equation (7)). 

Xm'j /P = fm'j (m'p) 

= Xm'j + Rm'j,i(m' p ) + Rm f jf2 (m f p ) 2 +... 

+ Rm'j^'-itm'p)*' -1 (24) 
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The share Xm'j # j, which a member j generated itself, is 
input to the linear combination operation unit 702-j , and 
the other shares Xm r j tP (p = 1 , 2,..., t, p^j) are 
distributed to the other members through the secure channels 
303. 

The linear combination operation unit 702-j thus 
receives a share Xm'j^ of the share Xm'j of the original 
secret information from the secret sharing operation unit 

701- j . In addition, the linear combination operation unit 

702- j receives shares Xm'i, j , . . . , Xm'j-^j , Xm'j+i, j , . . . , Xm' t ,j of 
the shares Xm' p (p = 1, 2, . . . , t, p^j) of the original 
secret information S, which are sent by the other members 
via the secure channels 303 . Using these t second shares 
Xm'p^j (p = 1, 2, . . . , t) of the first shares Xm'p of the 
original secret information S, a third share Sm'j of the 
original secret information S is computed and output as an 
intermediate result. It should be noted here that the share 
Sm'j which is used when the secret information S is 
reconstructed differs from the share Xm'j which is obtained 
when the secret information S is shared. The linear 
combination operation unit 702-j carries out the 
computations shown in the following equations (25) and (26) 
to obtain the third share Sm'j or the intermediate result. 

Sm'j — rm'iXm'i^j + rm^Xm^, j +. . .+ rm'tXm'-t,j 




(25) 



p=l 



rm'p = (m'i x m'2 x. . .x m't/m'p) 

/ ( (rn'i - m' p ) x (m' 2 ~ m' p ) x...x ( m ' p -i -m' p ) x 
(m'p+i - m'p) x. . .x (m' t - m' p ) ) 



F02RL0124 



= fj m 1 i / (m 1 i - m' P ) 



i=l 
i*P 



(26) 



In the above equation (26) , since rn'i , m' 2 , . . . , m' t are 
revealed values, it is possible to calculate rm' p . 

Operation of the Second Embodiment 

FIG. 10 is a flowchart illustrating the operation of 
the secret reconstruction method according to the second 
embodiment. To reconstruct the original secret information S, 
t members are collected. The member IDs and first shares 
held by the collected members will again be denoted rn'i , 
m' 2 , . . . / m' t and Xm'i , Xm' 2 , . . . , Xm' t , respectively. 

Second shares are generated from each of the first 
shares held by the t members by using the (k', t) threshold 
secret sharing scheme, and are distributed to the members 
(step S801) . Step S801 indicates the operation of the secret 
sharing operation unit 701-j in FIG. 9, in which the first 
share Xm'j held by the member having member ID m'j (j = 1, 
2,..., t) is shared by using equation (23) above, and the 
second shares Xm'j #p , which are calculated by equation (24), 
are distributed to the members having member IDs m' p (p = 1, 
2 t) 

Next, each member carries out a computation using the 
second share Xm'j r j it generated itself and the second shares 
Xm' p ,j (p = 1 , 2 , . . . , t, p * j ) it received from the other 
members to obtain a share Sm'j of the original secret 
information S (step S802) as an intermediate result. Step 
S802 indicates the operation of the linear combination 
operation unit 702- j in FIG. 9, in which a member j carries 
out the computation in the above equation (25) on the second 
shares Xm' Pfj (p = 1, 2,..., t) and the revealed member IDs m' p 
(p = 1, 2,..., t) to obtain the intermediate result Sm'j. 
Finally, the original secret information S is 
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reconstructed from the intermediate results Sm'j computed by 
the members in step S802 (step S803) . Step S803 indicates 
the operation of the secret reconstruction operation unit 
602 in FIG. 8, in which the original secret information S is 
obtained from the intermediate results Sm'j (j = 1, 2,..., t) 
computed by the members j in step S8 02 by using the above 
equation (22) . 

Effects of the Second Embodiment 
As described above, according to the second embodiment, 
the original secret information S can be reconstructed 
without revealing the shares held secretly by the collected 
members to any other member or any third party as in the 
first embodiment. Accordingly, the shares held by the 
members can be reused the next time the secret information 
is reconstructed. In addition, these effects can be obtained 
without the need for a central secret reconstruction 
facility . 

In the first embodiment described above, since the 
original secret information S is shared by the summation 
secret sharing scheme, it cannot be reconstructed unless all 
n members are collected. In contrast, in the second 
embodiment, the original secret information S can be 
reconstructed by any collection of k members or more, where 
k may be less than n. 

As described above, in the second embodiment, although 
the collected members cannot remain anonymous because their 
member IDs, which are distributed when the original secret 
information S is shared, are revealed, the amounts of both 
computation and communication can be reduced because it 
suffices for the members to communicate with each other only 
once to distribute the second shares when the secret 
information is reconstructed, and because each member has to 
communicate only with k other members, where k may be less 
than the full number of members (n) . 
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Further, in the second embodiment , if a member (a 
device with computing and memory facilities) not holding a 
share of the secret information S tries to participate in 
the reconstruction of the secret information S, the 
reconstruction will fail as in the first embodiment. 
Therefore, the second embodiment provides an authentication 
scheme that can determine whether all members in a group 
comprising a plurality of collected members are valid 
members or not, thereby determining whether they are members 
to whom the shares of the secret information S were 
previously distributed or not. Furthermore, in the second 
embodiment, since the first shares are reusable as described 
above, the authentication scheme can be used repeatedly 
without updating the first shares of the secret information 
S. The authentication scheme is also very robust under 
attack by an attacker who pretends to be a member by 
wiretapping . 

The authentication scheme described above has features 
that cannot be achieved by simply combining the secret 
reconstruction features of the secret sharing scheme and the 
shared operation features of the multiparty protocol. The 
above authentication scheme makes use of the original secret 
information S as registered information that is compared 
with the reconstruction result to decide if the 
authentication is valid or not, so it is not necessary for 
the original secret information S to be kept secret from the 
members . 

Third Embodiment 
General Description 
In the third embodiment, as in the first and second 
embodiments, secret information S is reconstructed from 
shares held by a group of n members (n being an integer 
greater than one) by executing a multiparty protocol of the 
first type, in which the members do not reveal their shares. 
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The reconstruction process is carried out by a secret 
reconstruction system comprising a temporary ID generator, a 
plurality of distributed secret reconstruction operation 
units operated by the members, and a secret reconstruction 
operation unit operated by one or more of the members or by 
a central facility. 

In the third embodiment, as in the second embodiment, 
shares of the original secret information S are generated by 
using the (k, n) threshold secret sharing scheme. The 
original secret information S can therefore be reconstructed 
by any collection of k members (k ^ n) , not necessarily 
requiring the participation of all n members . In the second 
embodiment, the member IDs of the collected members are 
revealed in order to reconstruct the secret information, but 
in the third embodiment, the secret information is 
reconstructed without revealing either the shares held by 
the members or their member IDs. 

Structure of the Third Embodiment 

In the third embodiment, as in the second embodiment, a 
group of n members hold shares of the original secret 
information S. The shares are generated by using the (k, n) 
threshold secret sharing scheme and secretly distributed to 
the members. It will be assumed that the n members in the 
group have member IDs mi, m 2 , . . . , m n , which are used when the 
secret information S is shared. The share of the secret 
information S distributed to the member having member ID rrij 
(j =1, 2,..., n) is denoted Xirij . When the original secret 
information S is reconstructed by t collected members (t ^ 
k) , their member IDs will be denoted rn'i , m' 2 , . . . , rn' t and 
their shares Xm'x , Xm'2,..., Xm' t . As in the first and second 
embodiments, any two of the collected members have a secure 
channel over which they can communicate without revealing 
the content of their communication to any of the other 
members (see FIG. 3) . The third embodiment, however, differs 
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from the second embodiment in that the member IDs m\, m' 2 , . - . , 
m' t of the collected members are not revealed, so it is 
impossible to know which collected member holds which member 
ID. In the computations below, arithmetic operations 
(addition, subtraction, multiplication, division) are 
carried out in a finite field GF (q) . 

The secret reconstruction method according to the third 
embodiment will be outlined below with reference to FIG. 11. 
FIG. 11 illustrates a case in which there are three members 
(three devices with computing and memory facilities) holding 
respective shares Xmi , Xm 2 , and Xm 3 generated from the 
original secret information S by using a threshold secret 
sharing scheme, and holding respective member IDs mi, m 2 , m 3 . 
When the original secret information S is reconstructed, the 
first shares Xm x , Xm 2 , and Xm 3 held by the members are 
further shared by using the threshold secret sharing scheme 
to generate second shares from shares Xmi , Xm 2 , and Xm 3 . 
More specifically, as indicated by the circled reference 
numeral 1 in FIG. 11, the secret sharing scheme is used to 
generate shares Xmi,i, Xmi /2 , Xm i#3 from share Xmi, shares Xm 2# i, 
Xm 2f2 , Xm 2f3 from share Xm 2 , and shares Xm 3/i , Xm 3/2 , Xm 3/3 from 
share Xm 3 . In addition, the secret sharing scheme is used to 
generate shares m x ,i, mi /2 , m ir3 from member ID m x , shares m 2#x , 
m 2,2/ m 2,3 from member ID m 2 , and shares m 3# i, m 3f2 , m 3#3 from 
member ID m 3 . The second shares generated from shares Xmi, 
Xm 2 , Xm 3 are distributed to the other members as indicated by 
the circled reference numeral 2 . Each member receives shares 
of shares Xmi, ^^2f X1113, i.e., shares Xmi^i, Xm 2f i, Xm 3/ i, 
shares Xm i/2 , Xm 2r2 , Xm 3f2 , or shares Xm X/3 , Xm 2/3 , Xm 3/3 , and in 
addition receives shares of member IDs m x , m 2 , m 3 , i.e., 
shares m ltlr m 2#1 , m 3#1 , shares m i/2 , m 2/2/ m 3/2 , or shares m 1/3 , 
m 2,3/ m 3,3- The member carries out part of a distributed 
computation on the basis of these shares and outputs the 
result as indicated by the circled reference numeral 3. 
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Finally, as indicated by the circled reference numeral 4, 
the original secret information S is reconstructed by 
collecting the results of the distributed computation 
carried out using shares Xiriij, Xm2,i, Xm 3f i and m 1#1 , m2,i, m 3 ,i, 
shares Xmi f 2> Xm2,2/ Xm 3# 2 and mx r 2^ ^2,2/ m 3,2/ and shares Xmx f 3, 
Xm 2| 3, Xm 3; 3 and m ir3/ m 2 , 3 , m3,3, instead of using shares Xmi , 
Xrri2 , Xm 3 and member IDs m lf 1^2 / m 3 directly. 

FIG. 12 is a block diagram illustrating a structure 
embodying the method of reconstructing secret information 
according to the third embodiment (a secret reconstruction 
system according to the third embodiment) . The secret 
reconstruction method of the third embodiment will be 
described with reference to FIG. 12. As shown in FIG. 12, 
the t collected members (t devices with computing and memory 
facilities) having the member IDs m'i , m'2 , . - - , m' t possess 
distributed secret reconstruction operation units 902-1, 
902-2,..., 902-t (shared secret reconstruction apparatus 
according to the third embodiment) , which are means for 
reconstructing the secret information by a sharing operation. 
The secret reconstruction system further comprises a 
temporary ID generator 901 and a secret reconstruction 
operation unit 903. The structures and operations of the 
distributed secret reconstruction operation units 902 and 
secret reconstruction operation unit 903 differ from those 
of the distributed secret reconstruction operation units 301, 
601, and secret reconstruction operation units 302, 602 in 
the first and second embodiments. The temporary ID generator 
901 is connected to the distributed secret reconstruction 
operation units 902-j (j = 1, 2,..., t) of the collected 
members. Each distributed secret reconstruction operation 
unit 902-j ( j = 1 , 2 , . . . , t) is connected to the other 
distributed secret reconstruction operation units 902 
through secure channels 303 similar to the ones shown in FIG. 
3. The output from each distributed secret reconstruction 
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operation unit 902-j ( j = 1 , 2 , . . . , t) is input to the 
secret reconstruction operation unit 903. 

The temporary ID generator 9 01 generates t mutually 
distinct values di , d 2 ,..., d t for the collected t members 
and outputs them to the distributed secret reconstruction 
operation units 902-j ( j = 1 , 2 , . . . , t) as temporary member 
IDs. If t mutually distinct values such as internet protocol 
(IP) addresses are available for use, it is possible to make 
use of these values as the temporary member IDs di , d 2 , . . . , 
d t by requesting the distributed secret reconstruction 
operation units 902-j (j = 1, 2,..., t) to provide these 
values instead of by generating them. It will be assumed 
that these temporary member IDs di, d 2 , . . . , dt are revealed, 
so the collected members know which member holds which 
temporary member ID. An exemplary method of revealing this 
information is for each distributed secret reconstruction 
operation unit 902-j (j =1, 2,..., t) to report whether it 
corresponds to temporary member ID dj by using a control 
signal. The control signals are indicated by dashed lines in 
FIG. 12. The temporary ID generator 901 then assigns and 
reveals the temporary member IDs di , d 2 , . . . , d t . 

Each distributed secret reconstruction operation unit 
902-j (j =1, 2-,..., t) is operated by the member having 
temporary member ID dj so as to receive its own temporary 
member ID from the temporary ID generator 901 and output its 
share of the result of the distributed computation described 
below, together with its temporary member ID dj , to the 
secret reconstruction operation unit 903. 

The secret reconstruction operation unit 903 thus 
receives the t results from the distributed secret 
reconstruction operation units 902-j (j = 1, 2,..., t) , 
reconstructs the secret information by a computation using 
these t results as t shares, and outputs the reconstructed 
secret information. If the value output from each of the 
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distributed secret reconstruction operation units 902-j (j = 
1, 2,..., t) is denoted Sdj (j = 1, 2,..., t) and the 
corresponding temporary member ID is denoted dj , the original 
secret information S can be obtained by replacing m'j and Sm'j 
in the above equations (22) and (4) with dj and Sdj, 
respectively, and calculating the values S and rdj given by 
the following equations (27) and (28) in the finite field 
GF(q) . 

S = rdiSdi + rd 2 Sd 2 + . . . + rd t Sd t 
t 

= ^rdjSdj 

rdj = (di x d 2 x...x d t /dj) 

/((di - dj) x (d 2 - dj) x...x (dj-! -dj) x 
(d j+ i - dj) x. . .x (d t - dj) ) 
t 

= n di / < di - 

i=l 

Each of the distributed secret reconstruction operation 
units 902-j (j = 1, 2,..., t) is operated by a different 
member, and the content of the operations it performs is not 
revealed to the other members . The temporary ID generator 
901 and secret reconstruction operation unit 903 may be 
operated by a central facility (a processor separate from 
the members) that is specialized for this operation, or may 
be operated by one or a plurality of the collected members, 
preferably by the member or members who need the secret 
information S. 

FIG. 13 is a block diagram illustrating the structure 
of the distributed secret reconstruction operation unit 902- 
j ( j = 1 , 2 , . . . , t) in FIG. 12. The distributed secret 
reconstruction operation unit 902-j (j = 1, 2,..., t) will 



(27) 



(28) 
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be described with reference to FIG. 13. As shown in FIG. 13, 
the distributed secret reconstruction operation unit 902-j 
comprises a secret sharing operation unit 1001-j and a 
distributed processor 1002-j . The inputs to the distributed 
secret reconstruction operation unit 902-j are supplied to 
the secret sharing operation unit 1001-j , and one of the 
outputs from the secret sharing operation unit 1001-j is 
input to the distributed processor 1002-j . The output of the 
distributed processor 1002-j becomes the intermediate result 
output by the distributed secret reconstruction operation 
unit 902-j . The temporary member ID dj output from the 
temporary ID generator 901 in FIG. 12 is input to the secret 
sharing operation unit 1001-j . The member ID m'j held by the 
member having the temporary member ID dj and that member's 
share Xm'j of the original secret information S are also 
input to the secret sharing operation unit 1001-j . In the 
secret sharing operation unit 1001-j , the received share Xm'j 
and member ID m'j are shared by using the (k', t) threshold 
secret sharing scheme and the generated shares are 
distributed to the other members via the secure channels 303. 
The third embodiment differs from the second embodiment in 
that the third embodiment needs to perform distributed 
multiplication. Therefore, it is necessary for the threshold 
k' of the secret sharing scheme to satisfy the condition 
given by the following inequality (29) (see the above 
equation (11) ) . 

k' < (t + 1) /2 (29) 

The condition in the above inequality (2 9) is computed 
with normal integers and fractions in the real number field, 
not in the finite field GF (q) . 

As in the second embodiment, to calculate second shares 
of the input shares Xm'j , polynomials of degree k' - 1 similar 



34 



F02RL0124 

to the above equation (23) are generated as shown in the 
following equation (29') . 

fxdj (x) = Xm'j + Ridj f ix + Rxdj /2 x +.-.+ Ridj /k '-ix 

(29') 

In this calculation, the temporary member IDs d p (p = 1 , 
2,..., t) are used in place of the member IDs m' p (p = 1 , 
2,..., t) , which are kept secret. Ridj fi/ Ridj f 2r-..# Ridj,k'-i 
are k'-l random elements selected from the finite field 
GF(q) . 

The share Xm'j, p distributed to the member having 
temporary member ID d p (p = 1 , 2,..., t) is calculated using 
the above equation (29') as in the following equation (30) . 

Xm'j, p = fxdj (d p ) 

= Xm'j + R x d jrl (d p ) + Ridj^fdp) 2 +... 

+ Ridj, k '-i(d p ) k ' -1 (30) 

Similarly, to share the input member ID m'j , polynomials 

of degree k'-l shown in the equation (31) below are 

generated, in which R 2 dj,i, R 2 dj /2 ,..., R2<3j,k'-i are k'-l 
random elements selected from the finite field GF (q) . 

f 2 dj (x) = m'j + R 2 dj,]X + R 2 d j/2 x +...+ R 2 d j/k '- X x 

(31) 

The share m'j eP distributed to the member having 
temporary member ID d p (p = 1, 2,..., t) is calculated using 
the above equation (31) as in the following equation (32) . 

m'j , p = f 2 dj (d p ) 

= m'j + R 2 dj,i(d p ) + R 2 dj, 2 (d p ) 2 +... 

+ R 2 dj, k '-i(d p ) k '- 1 " (32) 
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The shares Xm'j,j and m'j,j, both of which member j 
generated itself, are output to the distributed processor 
1002-j , whereas the other shares Xm'j, p and m'j /P (p = 1, 2,..., 
t, p * j) are distributed to the other members' distributed 
processors 1002-p (p = 1 , 2,..., t, p * j) through the 
secure channels 303. 

The distributed processor 1002-j thus receives a share 
m'j,j of the member ID and a share Xm'j,j of the share of the 
original secret information S from the secret sharing 
operation unit 1001- j . In addition, the distributed 
processor 1002-j receives the shares m'i,j, m' 2 ,j,..., ni't,j of 
the other members' IDs and shares Xm'i^j, Xm' 2 ,j,..., Xm' tf j of 
the shares of the original secret information S, all of 
which are distributed from the other members ' secret sharing 
operation units 1001-p (p = 1 , 2 , . . . , t , p * j ) through the 
secure channels 303. Using these shares m' P/ j (p = 1, 2, . . . , 
t) of the member IDs and second shares Xm' Pr j (p = 1, 2,..., 
t) of the first shares of the original secret information S, 
a third share Sdj of the original secret information S is 
computed and output as an intermediate result. That is, the 
sharing operations are carried out using the above equation 
(3) while the member IDs rn'i, m' 2 , . . m' t and shares Xm'i, 
Xm' 2 , . . . , xm' t of the collected members are kept secret. As a 
result of the sharing operations, the members hold the 
shared secret information Sdi , Sd 2 , . - - , Sd t as the 
intermediate results . 

FIG. 14 is a block diagram illustrating the structure 
of the distributed processor 1002-j (j = 1, 2,..., t) in FIG. 
13. The distributed processor 1002-j (j = 1, 2,..., t) will 
be described with reference to FIG. 14. As shown in FIG. 14, 
the distributed processor 1002-j comprises t term 
calculation units 1101-j-a (a = 1, 2,..., t) and a t-term 
adder 1102-j receiving t inputs of information. The shares 
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Xm'j^j and m'j,j, both of which are output from the secret 
sharing operation unit 1001-j , and the shares m'i,j, m' 2 ,j,..., 
m f tf j of the other members' IDs and shares Xm'^j, Xrn' 2 ,j , - - - , 
Xm' t# j of the shares of the original secret information S, all 
of which are distributed from the other members'' secret 
sharing operation units 1001-p (p = 1, 2,..., t, p * j ) 
through the secure channels 303, are input to the term 
calculation units 1101-j-a (a = 1, 2,..., t) . The outputs 
from the term calculation units 1101-j-a (a = 1, 2,..., t) 
are input to the t-term adder 1102-j . The output of the t- 
term adder 1102-j becomes the intermediate result output by 
the distributed processor 1002-j . Each term calculation unit 
1101-j-a has secure channels 303 that communicate with the 
other members' secret sharing operation units 1001-p and 
term calculation units 1101-p-a (p = 1 , 2,..., t, p^j). 

The t-term adder 1102-j receives t outputs in total 
from the term calculation units 1101-j-a (a = 1, 2,..., t) 
and adds all of them. That is, if the output from the term 
calculation unit 1101-j-a is denoted Y a (a = 1, 2, . . . , t) , 
the t-term adder 1102-j carries out the calculation shown in 
the following equation (33) and outputs the result Sdj . 

Sdj = Yi + Y 2 +. . -+ Y t (33) 

FIG. 15 is a block diagram illustrating the structure 
of the term calculation units 1101-j-a (a = 1, 2,..., t) in 
FIG. 14. The structure of the term calculation units will 
now be' described with reference to FIG. 15. Each term 
calculation unit 1101-j-a (a = 1, 2 , . . . , t) comprises: a 
difference operation unit 1201- j -a; a distributed 
multiplication unit 1202-j-a receiving t - 1 inputs of 
information; a distributed multiplication unit 1204- j -a 
receiving t - 1 inputs of information; a distributed inverse 
element calculation unit 1203- j -a; a distributed 
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multiplication unit 1205-j-a receiving two inputs of 
information; and another distributed multiplication unit 
1206-j-a receiving two inputs of information. The shares 
m 'i,jf Ki' 2 ,j,..., m f t ,j input to the term calculation units 
1101-j-a (a = 1, 2,..., t) via the secure channels 303 or 
directly from the secret sharing operation unit 1001-j (in 
case of m'j,j) are input to the difference operation unit 
1201-j-a. The outputs from the difference operation unit 

1201- j-a are input to the distributed multiplication unit 

1202- j-a. The output from the distributed multiplication 
unit 1202-j-a is input to the distributed inverse element 
calculation unit 1203-j-a and the output from the 
distributed inverse element calculation unit 1203-j-a is 
input to the distributed multiplication unit 1205-j-a. The 
shares m'i f j, m' 2 ,j,..., m 't,j input to the term calculation 
unit 1101-j-a (a = 1, 2,..., t) via the secure channels 303 
and directly from the secret sharing operation unit 1001-j 
are also input to the distributed multiplication unit 1204- 
j-a except for m' a , j . The output from the distributed 
multiplication unit 1204-j-a is input to the distributed 
multiplication unit 1205-j-a together with the output from 
the distributed inverse element calculation unit 1203-j-a. 
The output from the distributed multiplication unit 1205-j-a 
is input to the distributed multiplication unit 1206-j-a 
together with Xm' a ,j which is input through the secure channel 
303 or directly from the secret sharing operation unit 1001- 
j (in case of Xm'j,j) to the term calculation unit 1101-j-a (a 
= 1, 2,..., t) . The output of the distributed multiplication 
unit 1206-j-a becomes a share of the intermediate result 
output by the term calculation unit 1101-j-a. The 
distributed multiplication units 1202-j-a, 1204-j-a, 
distributed inverse element calculation unit 1203-j-a, and 
distributed multiplication units s 1205-j-a, 1206-j-a have 
secure channels 303 over which they can communicate with the 
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other members' distributed multiplication units 1202-p-a, 
1204-p-a, 1205-p-a, 1206-p-a and distributed inverse element 
calculation unit 1203-p-a (p = 1, 2,..., t, p * j ) . 

The difference operation unit 1201- j -a receives the 
member IDs m'i f j, m' 2 ,j,..., rn't,j input to the term calculation 
unit 1101-j-a, and calculates the differences between m' a ,j 
and each of the member IDs m'i r j , m' 2# j,..., n\' t/ j except m' a , j . 
That is, t - 1 differences are calculated: (m'i,j - m' a/ j), 
(m' 2 ,j - m' a ,j) , . . . , (m' (a -i)j - m' a ,j) , (m' (a+ i )# j - m' a/ j ) , . . . , 
(m' t j - m 'a,j) • These t - 1 results are output to distributed 
multiplication unit 1202-j-a. 

Distributed multiplication units 1202-j-a and 1204-j-a 
have the same internal structure: each of them receives t - 
1 inputs, carries out distributed multiplication of t - 1 
elements using the t - 1 inputs and the information received 
through the secure channels 303, and outputs the result. The 
values input to each of the distributed multiplication units 

1202- j-a and 1204-j-a will be denoted Ai r j, A 2/ j,..., A(t-i),j. 
If the original secret, which is reconstructed by the t 
values Ai fP (p = 1 , 2,..., t) comprising Ai f j input to the 
distributed multiplication units 1202-j-a and 1204-j-a and 
Ai /P (p = 1, 2,..., t, p * j ) input to the other members' 
distributed multiplication units 1202-p-a and 1204-p-a, is 
denoted A ± (i = 1, 2,..., t-1), each of the distributed 
multiplication units 1202-j-a and 1204-j-a calculates a 
share Bj of the product B of all of the Ai (i = 1, 2 , . . . , t - 
1) , i.e., B = Ax x A 2 x...x A t _i , which becomes the share 
obtained by the member having temporary member ID dj . 
Distributed multiplication unit 1202-j-a receives the t - 1 
outputs from the difference operation unit 1201-j-a, carries 
out a calculation using the received data, and outputs the 
result to the distributed inverse element calculation unit 

1203- j-a. Distributed multiplication unit 1202-j-a also 
exchanges necessary information with the other members' 
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distributed multiplication units 1202-p-a (p = 1, 2,..., t, 
p ^ j ) via the secure channels 303. Distributed 
multiplication unit 1204-j-a receives the inputs m'i # j, 
m' 2 ,j,.-., rn' t ,j to the term calculation unit 1101-j-a, 
excluding m' a# j , carries out a calculation using the received 
data, and outputs the result to distributed multiplication 
unit 1205-j-a. Distributed multiplication unit 1204-j-a also 
exchanges necessary information with the other members' 
distributed multiplication units 1204-p-a (p = 1, 2,..., t, 

p 5* j ) via the secure channels 303. 

The distributed inverse element calculation unit 1203- 
j-a receives the output from distributed multiplication unit 
1202-j-a, carries out the an operation on the received data 
and information received through the secure channels 303, 
and outputs the result to distributed multiplication unit 
1205-j-a. If the output of distributed multiplication unit 
1202- j -a is denoted Aj and the secret reconstructable from 
the t values A p (p = 1 , 2, . . . , t) , of which Aj is input to 
distributed inverse element calculation unit 1203-j-a and 
the other A p (p = 1, 2,..., t, p^j) are input to the other 
members' distributed inverse element calculation units 1203- 
p-a, is denoted A, the distributed inverse element 
calculation unit 1203-j-a calculates a share Bj of the 
inverse element of A in the finite field GF (q) , i.e., B = A 1 
which becomes the share obtained by the member having 
temporary member ID dj . The distributed inverse element 
calculation unit 1203-j-a also exchanges necessary 
information with the other members' distributed inverse 
element calculation units 1203-p-a (p = 1 , 2,..., t, p ^ j ) 
via the secure channels 303. 

Distributed multiplication units 1205-j-a and 1206- j -a 
have the same internal structure: each of them, receives two 
inputs, carries out a distributed multiplication of two 
elements using the two inputs and information received 
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through the secure channels 303, and outputs the result. The 
values input to distributed multiplication units 1205-j-a 
and 1206-j-a will now be denoted A 1# j, A 2 ,j. If the secret 
reconstructable from the t values Ai fP (p = 1 , 2,..., t) , of 
which A if j is input to distributed multiplication units 1205- 
j-a and 1206-j-a and the other Aj_ /P (p = 1, 2,..., t, p ^ j ) 
are input to the other members' distributed multiplication 
units 1205-p-a and 1206-p-a, is denoted Ai (i =1, 2), each 
of the distributed multiplication units 1205-j-a and 1206-j- 
a calculates a share Bj of the product B = Ai x A 2 , which 
becomes the share obtained by the member having temporary 
member ID dj . Distributed multiplication unit 1205-j-a 
receives the outputs from distributed multiplication unit 
1204- j -a and the distributed inverse element calculation 
unit 1203-j-a, carries out a calculation using the received 
data, and outputs the result to distributed multiplication 
unit 1206-j-a. Distributed multiplication unit 1205-j-a also 
exchanges necessary information with the other members' 
distributed multiplication units 1205-p-a (p = 1, 2,..., t, 
p ^ j) via the secure channels 303. Distributed 
multiplication unit 1206-j-a receives the output from 
distributed multiplication unit 1205-j-a and the value Xm' a/ j 
input to the term calculation unit 1101- j -a, carries out a 
calculation using these received data, and outputs the 
result. Distributed multiplication unit 1206-j-a also 
exchanges necessary information with the other members' 
distributed multiplication units 1206-p-a (p = 1, 2,..., t, 
p ^ j) via the secure channels 303. 

FIG. 16 is a block diagram illustrating the structure 
of the distributed multiplication units 1205-j-a and 1206-j- 
a (j = 1, 2,..., t, a = 1, 2,..., t) in FIG. 15. The 
distributed multiplication units 1205-j-a, 1206-j-a will be 
described with reference to FIG. 16. The two inputs to each 
of the distributed multiplication units 1205-j-a, 1206-j-a 
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are denoted Adj and Bdj , and the output from each of them is 
denoted Cdj . Each of the distributed multiplication units 

1205- j-a and 1206-j-a comprises a multiplier 1301-j , a 
secret sharing operation unit 1302-j , and a linear 
combination operation unit 1303-j . The above-mentioned Adj 
and Bdj are input to the multiplier 1301-j , the product 
output from the multiplier 1301-j is input to the secret 
sharing operation unit 1302-j , and the output from the 
secret sharing operation unit 1302-j is input to the linear 
combination operation unit 1303-j . The output of the linear 
combination operation unit 1303-j becomes the output from 
each of the distributed multiplication units 1205-j-a and 

1206- j-a. 

The multiplier 1301-j receives the values Adj and Bdj 
input to each of the distributed multiplication units 1205- 
j-a and 1206-j-a, and multiplies the received data as shown 
in the following equation (34) . 

C'dj = Adj x Bdj (34) 

This result C'dj is output to the secret sharing operation 
unit 1302-j . 

The secret sharing operation unit 1302-j has the same 
internal structure as the secret sharing operation unit 701- 
j in FIG. 9 in the second embodiment, in which the input 
value is shared using the (k r , t) threshold secret sharing 
scheme and the generated shares are output. As described 
above, since distributed multiplication needs to be carried 
out in the third embodiment, the threshold k' in the secret 
sharing scheme must satisfy the following condition computed 
with normal integers and fractions in the real number field, 
not in the finite field GF (q) . 



k' < (t + 1) /2 



(29) 
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In the third embodiment, since the member IDs m'i , 
m'2,..., m't used for generating the shares are kept secret, 
the temporary member IDs di , d 2 , . . . , d t are used. To 
generate the shares, first, polynomials of degree k' - 1 are 
generated using the value C'dj input to the secret sharing 
operation unit 1302-j as shown in the equation (35) below, 

in which R 3 dj,i, R 3 dj,2**--/ R 3 dj,k'-i are k' - 1 random elements 
selected from the finite field GF (q) . 

f 3 dj(x) = C'dj + R 3 dj,ix + R 3 d j/2 x 2 + ...+ R 3 dj , k '-ix k " X 

(35) 

The share C'dj /P distributed to the member holding 
temporary member ID d p (p = 1 , 2,..., t) is calculated using 
the above equation (35) as shown in the following equation 
(36) . 

C'dj, p = f 3 dj (d p ) 

= C'dj + Rsdj^fdp) + R 3 dj /2 (dp) 2 + ... 

+ R 3 dj, k '-i (dp) 1 "'" 1 (36) 

The share Cdj,j the secret sharing operation unit 1302-j 
generated itself is output to the linear combination 
operation unit 1303-j , and the other shares C'dj, p (p = 1 , 
2,..., t, p^j) are distributed to the other members' 
linear combination operation units 1303-p (p = 1, 2,..., t, 
p * j ) through the secure channels 303. 

The linear combination operation unit 1303-j has the 
same internal structure as the linear combination operation 
unit 7 02-j in FIG. 9 in the second embodiment. In the third 
embodiment, however, since the member IDs m'i, m'2 , . • • / m't 
necessary for the calculation are secret, the temporary 
member IDs di , d2 , . . d t are used instead. As described 
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above , the linear combination operation unit 1303- j receives 
the share Cdj r j from the secret sharing operation unit 1302-j . 
In addition, it receives the shares C'di,j, C'd 2 ,j,..., Cd P/ j 
distributed from the other members' secret sharing operation 
units 1302-i (i = i, 2,..., t, i * j) through the secure 
channels 303. The linear combination operation unit 1303-j 
then carries out a calculation using these t shares Cd P/ j (p 
= 1, 2,..., t) as shown in the following equations (37) and 
(38) , and outputs Cdj . 



Cdj = rdxC'd^j + rd 2 C'd 2 ,j +...+ rd t C'd t ,j 



= 2l rdpC dp. i 
p=l 

rdp = (di x d 2 x...x d t /dp) 

/((di - d p ) x (d 2 - d p ) x...x (d p _! 
(dp+i - dp) x. . .x (d t - dp) ) 
t 

= EI di / < di " dp > 
i=l 
i*p 



(37) 



- d p ) x 



(38) 



The value rd p in the above equation (38) can be 
calculated because the temporary IDs di , d 2 , . . . , d t are 
revealed and thus known. 

FIG. 17 is a block diagram illustrating the structure 
of the distributed multiplication units 1202-j-a and 1204- j- 
a (j = 1, 2,..., t, a = 1, 2,..., t) in. FIG. 15. The 
distributed multiplication units 1202-j-a, 1204-j-a will be 
described with reference to FIG. 17. The t - 1 inputs to 
each of the distributed multiplication units 1202-j-a and 
1204-j-a will be denoted Ai , A 2 , . . ., At-i- Each of the 
distributed multiplication units 1202-j-a and 1204-j-a 
comprises t - 2 distributed multiplication units 1401-i (i = 
1, 2,.. w t - 2). The t - 2 distributed multiplication units 
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1401-i are staged so that the output from distributed 
multiplication unit 1401-i (i = 1 , 2 , . . . , t - 2 ) becomes one 
of the inputs to the next distributed multiplication unit 
1401-(i+l). Two inputs Ai , A 2 to the distributed 
multiplication unit 1202-j-a or 1204-j-a are input to 
distributed multiplication unit 1401-1, and the output from 
distributed multiplication unit 1401-1 is input to 
distributed multiplication unit 1401-2 together with input A3 
to the distributed multiplication units 1202-j-a or 1204-j-a. 
Distributed multiplication unit 1401-i (1=2, 3,..., t - 2) 
receives the output from distributed multiplication unit 
1401- (i-1) and input A (i+ i) to the distributed multiplication 
units 1202-j-a or 1204-j-a, and the output from distributed 
multiplication unit 1401-i (1=1, 2,..., t - 3) is input to 
distributed multiplication unit 1401- (i+1) . Finally, the 
output of distributed multiplication unit 1401- (t-2) becomes 
the output from the distributed multiplication unit 1202-j-a 
or 1204-j-a. 

The distributed multiplication units 1401-i (i = 1, 
2,..., t - 2) have the same structure as the distributed 
multiplication units 1205-j-a, 1206-j-a described above, and 
communicate with the other members' distributed 
multiplication units 1401-i (i = 1, 2,..., t-2) through 
the secure channels 303. 

FIG. 18 is a block diagram illustrating the structure 
of the distributed inverse element calculation unit 1203- j -a 
(j = 1, 2,..., t, a = 1, 2,..., t) in FIG. 15. The 
distributed inverse element calculation unit 1203-j-a will 
be described with reference to FIG. 18. The distributed 
inverse element calculation unit 1203-j-a comprises cjb ~ 1 
distributed multiplication units 1501-i (i=l, 2,..., qt> ~ 
1) with two inputs each, a multiplication control unit 1502, 
and a distributed multiplication unit 1503 with qb inputs. 
The value qb is obtained by subtracting 2 from the order q of 
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the finite field GF(q) used in the third embodiment and then 
taking the logarithm to base two as in the following 
equation (39) : 

qb = ceil((log 2 (q - 2)) (39) 

where ceil (X) indicates the ceiling computation in which a 
number X is rounded up to the least integer equal to or 
greater than X, and log 2 (X) indicates the logarithm of X to 
base two. The above equation (39) is computed with normal 
integers and real numbers , not in the finite field GF (q) . If 
the input to the distributed inverse element calculation ■ 
unit 1203- j -a is denoted Aj and the secret, which is 
reconstructed by the t values A p (p = 1 , 2,..., t) comprising 
the input Aj and the inputs A p (p = 1, 2,..., t, p * j ) to 
the other members ' distributed inverse element calculation 
units 1203-p-a, is denoted A, the distributed inverse 
element calculation unit 1203-j-a calculates and outputs a 
share Bj of the inverse element of B = A -1 in the finite 
field GF(q) , which becomes the share obtained by the member 
holding temporary member ID dj . From the properties of 
finite fields, the following equation (40) is satisfied by 
any element A in the finite field GF (q) . 

A"" 1 = A q ~ 2 (40) 

Therefore, in the distributed inverse element calculation 
unit 1203-j-a, Aj is raised to the (q - 2)-th power by 
distributed multiplication. 

The qb - 1 distributed multiplication units 1501-i (i = 
1, 2,..., qb-i) are cascaded so that the output from 
distributed multiplication unit 1501-i becomes both inputs 
of the next distributed multiplication unit 1501- (i+1) . The 
input Aj to the distributed inverse element calculation unit 
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1203-j-a is input to the distributed multiplication unit 
1501-1, and the output from the distributed multiplication 
unit 1501-1 is input to the next distributed multiplication 
unit 1501-2. The input Aj to the distributed inverse element 
calculation unit 1203-j-a and the outputs from distributed 
multiplication units 1501-i (i = 1, 2,..., qb " Di which 
number qb values in all, are input to the multiplication 
control unit 1502, and values output from the multiplication 
control unit 1502 are input to distributed multiplication 
unit 1503. Finally, the output of the distributed 
multiplication unit 1503 becomes the output from the 
distributed inverse element calculation unit 1203-j-a. 

The distributed multiplication units 1501-i (i = 1, 
2, . . . , qb ~ 1) have the same structure as the distributed 
multiplication units 1205-j-a, 1206-j-a described above, and 
communicate with the other members ' distributed 
multiplication units 1501-i (i = 1, 2,..., qb " D via secure 
channels 303 similar to the ones in FIG. 3. 

The multiplication control unit 1502 receives the input 
Aj to the distributed inverse element calculation unit 1203- 
j-a and the outputs from the distributed multiplication 
units 1501-i (i = 1 , 2 ,...,<& ~ 1) , <Jb values in all, and 
outputs each of the qb input values either as is or as the 
unit element (1), according to the following rule. If the 
output from distributed multiplication unit 1501-i (i = 1, 
2,..., qb ~ 1) is denoted Aj, i+ i, qb values A jri (i = 1, 2,..., 
qb) are input to the multiplication control unit 1502, where 
Aj,i = Aj . Next, q - 2 is expressed in binary form. Since q 
- 2 is expressed as a binary number with qb bits, the bits 
are denoted, from the most significant bit to the least 
significant bit, b qb , b< q b-i) , . - . , b 2 , bi . If h± (i = 1, 2,..., 
qb) is one, then the multiplication control unit 1502 outputs 
the value Aj,i; if bi is zero, then the multiplication 
control unit 1502 outputs one (1) instead. The qb output 
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values are input to distributed multiplication unit 1503. 

Distributed multiplication unit 1503 has the same 
structure as the distributed multiplication units 1202-j-a, 
1204-j-a described above, except for the number of 
distributed multiplication units: it has qb ~ 1 units 
instead of t - 2 . Distributed multiplication unit 1503 also 
has secure channels 303 over which it communicates with the 
other members' distributed multiplication units 1503. 

Operation of the Third Embodiment 

FIG. 19 is a flowchart illustrating the operation of 
the secret reconstruction method according to the third 
embodiment. The member IDs of the t collected members and 
the shares held secretly by the members will again be 
denoted rn'i, m' 2 ,..., m' t , and Xm'i , Xm' 2 , . . . , Xm' t , respectively. 

As shown in FIG. 19, first the temporary member IDs di , 
d 2 , . . . , d t used for the sharing operation are generated and 
assigned to the collected members, and are distributed and 
revealed to the members (step S1601) . Step S1601 indicates 
the operation of the temporary ID generator 901 in FIG. 12. 

Next, the first shares and member IDs held secretly by 
the members are shared using the (k', t) threshold secret 
sharing scheme and the resulting shares are distributed to 
the other members (step S1602) . Step S1602 indicates the 
operation of the secret sharing operation unit 1001-j in FIG. 
13, in which the share Xm'j (j = 1, 2,..., t) held secretly 
by the member holding member ID m'j is shared using the above 
equation (29') , and the second share Xm'j /P (p = 1, 2,..., t) 
calculated by the above equation (30) is distributed to the 
member holding temporary member ID d p . Similarly, the member 
ID m'j is shared using the above equation (31) , and the share 
m'j, p calculated from the above equation (32) is distributed 
to the member holding temporary member ID d p . 

Next, each member calculates a share of the original 
secret information S using: the revealed temporary member 
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IDs of the collected members; a second share of its own 
first share and a share of its own member ID, both of which 
it generated itself; and second shares of other members' 
first shares and shares of the other members' IDs , which it 
received from the other members (step S1603) . Step S1603 
indicates the operation of the distributed processor 1002-j 
in FIG. 13, in which the member holding temporary member ID 
dj (j = 1, 2,..., t) carries out the operation for 
reconstructing the secret information given by the above 
equation (3) without revealing its member ID m'j (j = 1, 
2,..., t) and first share Xm'j , and finally obtains a share 
Sdj of the secret information S as an intermediate result 
from which the original secret information S can be 
reconstructed . 

Finally, the original secret information S is 
reconstructed from the shares Sdj calculated by the members 
in step S1603 and the temporary member IDs (step S1604) . 
Step S1604 indicates the operation of the secret 
reconstruction operation unit 903 in FIG. 12, in which the 
original secret information S is obtained by the computation 
in the equation (2 7) on the temporary member IDs dj and the 
results Sdj by the members holding temporary member IDs dj in 
step S1603 . 

Effects of the Third Embodiment 
As described above, according to the third embodiment, 
as in the first and second embodiments, the original secret 
information S can be reconstructed without revealing the 
shares held secretly by the collected members to any other 
member or any third party. Accordingly, the shares held by 
the members can be reused the next time the secret 
information is reconstructed. In addition, these effects can 
be obtained without the need for a central secret 
reconstruction facility . 

The third embodiment differs from the first embodiment 
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in that, since it uses a (k, n) threshold secret sharing 
scheme, the original secret information S can be 
reconstructed by a collection of k members (k ^ n) , not 
necessarily requiring the participation of all n members . 

The third embodiment differs from the second embodiment 
in that the secret information is reconstructed without 
revealing either the shares held by the members or the 
member IDs, so that all of the collected members can remain 
anonymous . 

Furthermore, in the third embodiment, if a member (a 
device with computing and memory facilities) not holding a 
share of the secret information S tries to participate in 
the reconstruction of the secret information S, the 
reconstruction will fail as in the first and second 
embodiments. Therefore, the third embodiment provides an 
authentication scheme that can determine whether all members 
in a group comprising a plurality of collected members are 
valid members or not, thereby determining whether they are 
members to whom the shares of the secret information S were 
previously distributed or not. Furthermore, in the third 
embodiment, since the first shares are reusable as described 
above, the authentication scheme can be used repeatedly 
without updating the first shares of the secret information 
S . The authentication scheme is also very robust under 
attack by an attacker who pretends to be a member by 
wiretapping because the information exchanged among the 
collected members varies every time the authentication is 
carried out or the original secret information S is 
reconstructed . 

In particular, the third embodiment has the following 
two effects: (1) it is not necessary to collect all members 
holding the shares of the original secret information; it 
suffices to collect a number of members equal to or greater 
than a threshold value; and (2) anonymity is preserved. 
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Therefore, it is possible to authenticate all members in a 
group comprising a plurality of collected members as valid 
members without identifying the collected members. 

The authentication scheme described above has features 
that cannot be achieved by simply combining the secret 
reconstruction features of the secret sharing scheme and the 
shared operation features of the multiparty protocol. As 
described in the first and second embodiments, the above 
authentication scheme makes use of the original secret 
information S as registered information that is compared 
with the reconstruction result to decide if the 
authentication is valid or not, so it is not necessary for 
the original secret information S to be kept secret from the 
members . 

Fourth Embodiment 
General Description 

As the multiparty protocol used to reconstruct the 
original secret information S in the third embodiment is a 
multiparty protocol of the first type described above, any 
two of the collected members communicate over a secure 
channel that does not reveal the content of their 
communication to any of the other members. In contrast, the 
fourth embodiment employs a multiparty protocol of the 
second type described above: the collected member 
communicate over oblivious transfer channels as well as over 
secure channels. The extra communication channels enable the 
fourth embodiment to provide effects similar to those of the 
third embodiment while eliminating the restriction on the 
threshold k' of the (k', t) threshold secret sharing scheme 
used in the third embodiment. 

In the third embodiment, the threshold k' was restricted 
by the following inequality (29) . 



k' < (t + 1) /2 



(29) 
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In the fourth embodiment, the range of the threshold k' 
can be widened to k' < t. 

Structure of the Fourth Embodiment 

The structure embodying the secret reconstruction 
method of the fourth embodiment (a secret reconstruction 
system according to the fourth embodiment) is similar to 
that of the third embodiment, except that since the fourth 
embodiment employs the aforementioned second type of 
multiparty protocol, there is a difference in the structure 
of distributed multiplication units 1205-j-a, 1206-j-a in 
FIG. 16. In the following description of the fourth 
embodiment, only the part of the structure that differs from 
the third embodiment, namely, the structure of the 
distributed multiplication units 1205-j-a, 1206-j-a, will be 
described . 

FIG. 20 is a block diagram illustrating the structure 
of the distributed multiplication units 1205-j-a, 1206-j-a 
used in the secret reconstruction method according to the 
fourth embodiment of the invention. It is this structure, 
and the use of the second type of multiparty protocol 
described above, that eliminates the restriction shown in 
the above inequality (29) and enlarges the range of 
thresholds k' to k' < t. 

The structure of the distributed multiplication units 
1205-j-a, 1206-j-a in the fourth embodiment will now be 
described. As shown in FIG. 20, each of the distributed 
multiplication units 1205-j-a, 1206-j-a comprises a jj-term 
calculation unit 1701-j , an ij-term calculation unit 1702-j 
and a t-term adder 1703-j . The two inputs Adj , Bdj to each 
of the distributed multiplication units 1205-j-a, 1206-j-a 
are input to both the jj-term calculation unit 1701-j and 
the ij-term calculation unit 1702-j . The outputs from the 
jj-term calculation unit 1701-j and ij-term calculation unit 
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1702-j are input to the t-term adder 1703-j . The output of 
the t-term adder 17 03-j becomes the output from the 
distributed multiplication unit 1205-j-a or 1206-j-a. 

The jj-term calculation unit 1701-j receives the two 
inputs Adj , Bdj to the distributed multiplication unit 1205- 
j-a or 1206-j-a, multiplies them, multiplies the result by a 
coefficient rdj calculated from the following equation (41) , 
and outputs the final result to the t-term adder 1703-j . 

rdj = (di x d 2 x...x d t /dj) 

/((di - dj) x (d 2 - dj) x...x (dj-! -dj) x 
(d j+ i - dj) x. . .x (d t - dj) ) 
t 

= f|di/(di - d>) (41) 
i=l 

More specifically, the jj-term calculation unit 1701-j 
calculates Adj x Bdj, then calculates rdj (Adj x Bdj) using the 
coefficient rdj obtained from the above equation (41) , and 
finally outputs the result. 

The ij-term calculation unit 1702-j receives the two 
inputs Adj, Bdj to the distributed multiplication unit 1205- 
j-a, 1206-j-a and performs a calculation involving both Adj 
and Bdj and information received from the other members 
through the secure channels 303 to obtain the result of what 
is in effect a multiplication by the other members ' values. 
Thus while the member having temporary member ID dj directly 
performs the multiplication operation Adj x Bdj in the jj- 
term calculation unit 1701-j , in the ij-term calculation 
unit 1702-j it performs an operation analogous to 
multiplication of Adj and Bdj by the values input to the 
members having member IDs dj (j = 1, 2,..., t, p * j ) to 
obtain results analogous to Adj x Bd p and Ad p x Bdj . 

The operation performed by the ij-term calculation unit 
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1702-j satisfies the following equations (42) and (42') . 



The member having temporary member ID dj can accordingly 
hold Ddj and Edj , and the member having temporary member ID 
dp can hold Dd p and Ed p . 

FIG. 21 is a block diagram illustrating the structure 
of the ij-term calculation unit 1702-j in FIG. 20. The ij- 
term calculation unit 1702-j will be described with 
reference to FIG. 21. The ij-term calculation unit 1702-j 
comprises: j - 1 term operation receivers 1801-j-p (p = 1 , 
2 , . . . , j — 1) ; j - 1 term operation receivers 1802-j-p (P = 
1, 2,..., j - 1); t - j term operation transmitters 1803-j-p 
(p=j +1, j +2,..., t); t-j term operation transmitters 
1804-j-p (p = j + 1, j + 2,..., t) ; t - 1 adders 1805-j-p (p 
= 1, 2,..., t, p ^ j ) ; and t - 1 coefficient multiplication 
units 1806-j-p (p = 1 , 2,..., t, p^j). 

One of the two inputs to the ij-term calculation unit 
1702-j is input to term operation receivers 1801-j-p (p = 1 , 
2,..., j - 1) and term operation transmitters 1803-j-p (p = 
j +1, j + 2, . . . , t), and the other is input to term 
operation receivers 1802-j-p (P = 1 , 2,..., j - 1) and term 
operation transmitters 1804-j-p (p=j+l, j+2,...,t). 
The outputs from term operation receivers 1801-j-p and 1802- 
j-p (p = 1, 2,..., j - 1) are input to adders 1805-j-p (p = 
1, 2, . . . , j - 1) ; the outputs from term operation 
transmitters 1803-j-p and 1804-j-p (p = j +1, j + 2,..., t) 
are input to adders 1805-j-p (p = j + 1 , j + 2 , . . . , t) . The 
outputs from the adders 1805-j-p (p - 1 , 2,..., t, p^j) 
are input to the coefficient multiplication units 1806-j-p 
(p = 1, 2, t, p * j) . 

The outputs (t - 1 outputs in total) from the 



Adj x Bd p = Ddj + Dd } 
Ad p x Bdj = Edj + Edj 



(42) 
(42') 
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coefficient multiplication units 1806-j-p (p = 1, 2,..., t, 
p ^ j) become the outputs from the ij-term calculation unit 
1702-j . The term operation receivers 1801-j-p, 1802-j-p (p = 
1, 2,..., j - 1) and term operation transmitters 1803-j-p, 
1804-j-p (p = j +1, j +2,..., t) exchange information with 
the other members via secure channels 303 similar to the 
ones in FIG, 3, and, as described above, essentially carry 
out multiplication operations with the values of the other 
members having member IDs d p (p = 1 , 2 , . . . , t, p ^ j ) to 
obtain results not exactly equal to, but equivalent to, Adj x 
Bd p and Ad p x Bdj . In this case, an oblivious transfer is 
used so that the values Adj and Bdj held by the member with 
ID dj and the values Ad p and Bd p held by the other members 
are kept secret. An oblivious transfer is a transmission 
method in which M information values are encoded (encrypted) 
at the transmitter and sent to the receiver, but only one of 
them can be received, or successfully decoded, by the 
receiver and the transmitter cannot know which value the 
receiver has received, or successfully decoded. In this 
embodiment, the oblivious transfer is based on the 
difficulty of computing discrete logarithms modulo q. 

Whether a member j has term operation receivers 1801- j- 
p, 1802-j-p (p = 1 , 2,..., j - 1) or term operation 
transmitters 1803-j-p, 1804-j-p (p = j + 1 , j + 2 , . . . , t) 
depends on the value of j. For j = 1, for example, member j 
does not have term operation receivers, but has 2 x (t - 1) 
term operation transmitters. For j = t, member j does not 
have term operation transmitters, but has 2 x (t - 1) term 
operation receivers . Information is transmitted and received 
among the members so that the information from the term 
operation transmitters 1803-j-p, 1804-j-p (p = j +1, j + 
2 , . . . , t) of the member having temporary member ID dj is 
transferred through the secure channels 303 to the term 
operation receivers 1802-p-j , 1801-p-j of the member having 
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temporary member ID d p . This will be described later with 
reference to FIGs . 22 and 23. 

Adder 1805- j-p (p=l, 2,..., t, p^j) receives the 
outputs from term operation receivers 1801-j-p, 1802-j-p (p 
= 1 , 2,..., j - 1) or term operation transmitters 1803-j-p, 
1804-j-p (p=j+l, j + 2,..., t), adds these outputs, and 
outputs the sum to coefficient multiplication unit 1806-j-p 
(p= 1, 2, . . . , t, p^j). If the output from term operation 
receiver 1801-j-p or term operation transmitter 1803-j-p is 
denoted Ddj /P and the output from term operation receiver 
1802-j-p or term operation transmitter 1804-j-p is denoted 
Edj, p , then adder 1805- j-p calculates Ddj rP + Edj /P and outputs 
the result to the coefficient multiplication unit 1806-j-p. 

Coefficient multiplication unit 1806-j-p (p = 1, 2,..., 
t, P ^ j) receives the output from adder 1805-j-p (p = 1 , 
2, . . . , t, p ^ j ) , multiplies it by a coefficient calculated 
from the following equation (43) , and outputs the result. 

rd p = (d x x d 2 x...x d t /d p ) 

/((di - d p ) x (d 2 " dp) x...x (dp-i -d p ) x 
(dp+i - dp) x. . .x (d t - d p ) ) 
t 

i=l 
i^p 

More specifically, if the output from adder 1805-j-p is 
denoted Fdj, p , then coefficient multiplication unit 1806-j-p 
calculates rd p x Fdj fP and outputs the result. The outputs (t 
- 1 outputs in total) from the coefficient multiplication 
units 1806-j-p (p = 1 , 2,...,t, p^j) become the outputs 
of the ij-term calculation unit 1702-j . 

Next, the term operation receivers 1801-j-p, 1802-j-p 
(p=l, 2,..., j -1) will be described with reference to 
FIG. 22. Each of the term operation receivers 1801-j-p, 
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1802-j-p (p = 1 , 2 , . . . , j - 1) comprises an index operation 
transmitter 1901-j and a reception reconstruction unit 1902- 
j . As described above, term operation receiver 1801-j-p 
receives one of the two inputs to the ij-term calculation 
unit 1702-j and term operation receiver 1802-j-p receives 
the other input. The inputs to these term operation 
receivers 1801-j-p, and 1802-j-p will now be denoted Adj and 
Bdj , respectively. Since term operation receivers 1801-j-p 
and 1802-j-p have the same internal structure, the following 
descriptions will be given for term operation receiver 1801- 
j-p, and information pertaining to the term operation 
receiver 1802-j-p will be given in parentheses. The input to 
the term operation receiver 1801-j-p (or 1802-j-p) is input 
to the index operation transmitter 1901-j . The output from 
the index operation transmitter 1901-j is input to the 
reception reconstruction unit 1902-j . The output of the 
reception reconstruction unit 1902-j becomes the output from 
the term operation receiver 1801-j-p (or 1802-j-p). 

The index operation transmitter 1901-j receives the 
input Adj (or Bdj) to the term operation receiver 1801-j-p 
(or 1802-j-p), calculates A'dj rP (or B'dj /P ) by the following 
equation (44) (or (44')), and transmits A'd j/P (or B'dj #p ) to 
the term operation transmitter 1804-p-j (or 1803-p-j) of the 
members having temporary member IDs d p (p = 1 , 2,..., j - 1) 
over secure channels 303 similar to the ones in FIG. 3. 



In the above equations (44) and (44') , h and g are two 
generators in the finite field and rAj rP , rBj /P are random 
elements selected from the finite field. The index operation 
transmitter 1901-j outputs the value rAj /P (or rB j#p ) used in 
the above equation (44) (or (44')) to the reception 




B'di 



= g rAj ' p h Adj 
= g rBj ' p h Bdj 



(44) 
(44') 
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reconstruction unit 1902-j . 

The reception reconstruction unit 1902-j receives q 
inputs of information from the term operation transmitter 
1804-p-j (or 1803-p-j) of the members holding temporary 
member IDs d p (p = 1 , 2, . . . , j - 1) , where q is the order of 
the finite field GF(q) / and calculates the equation (45) (or 
(45')) below using the (Adj + 1) — th information D'dj, p (or 
(Bdj + 1) -th information E'dj fP ) to obtain the final value 
Ddj /P (or Edj, p ). The other received inputs of information 
appear as random numbers to the member holding temporary 
member ID dj . It is assumed here that D'dj, p (or E'dj, p ) 
includes two information data values D'idj rP and D' 2 dj, p (or 
E'idj, p and E' 2 d j/P ) . 



The value Ddj, p (or Edj fP ) calculated by the above equation 
(45) (or (45') ) is output from the reception reconstruction 
unit 1902-j and becomes the output of the term operation 
receiver 1801-j-p (or 1802-j-p) . 

The structure of the term operation transmitters 1803- 
j-p, 1804-j-p (p=j + 1, j + 2,..., t) will now be 
described with reference to FIG. 23. As shown in FIG. 23, 
each of the term operation transmitters 1803-j-p, 1804-j-p 
comprises a random number generator 2001-j , a finite field 
element generator 2002-j , and multiplication operation 
transmitters 2003-j-a (a = 1, 2 , . . . , q) . The input to the 
term operation transmitter 1803-j-p or 1804-j-p is input to 
the multiplication operation transmitters 2003-j-a together 
with outputs from the random number generator 2001-j and 
finite field element generator 2002-j . The output of the 
random number generator 2001-j becomes the output from the 
term operation transmitter 1803-j-p or 1804-j-p. The term 



Ddj, p = D' 2 dj,p/ ( (D'idj, P ) 
Edj, p = E' 2 d jf p/<<E'id jf p) 



rAj ,p 



(45) 

(45') 



rBj ,p 
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operation transmitter 1803-j-p receives one of the two 
inputs to the ij-term calculation unit 1702-j , and the term 
operation transmitter 1804-j-p receives the other input. The 
inputs to the term operation transmitters 1803-j-p and 1804- 
j-p will now be denoted Adj and Bdj , respectively. Since the 
term operation transmitters 1803-j-p and 1804-j-p have the 
same internal structure, the following description will 
confined to the term operation transmitter 1803-j-p but 
information for the term operation transmitter 1804-j-p will 
be given in parentheses. 

The random number generator 200 1-j generates and 
outputs a random element in the finite field GF (q) . The same 
random element is output to the multiplication operation 
transmitters 2003- j -a (a = 1, 2,..., q) . As described above, 
the output from the random number generator 2001-j 
corresponds to the output from the term operation 
transmitter 1803-j-p (or 1804-j-p), where p = j + 1, j + 
2 t 

The finite field element generator 2002-j generates q 
values 0, 1,..., q - 1 in sequence in the finite field, and 
outputs each of them to each of the multiplication operation 
transmitters 2003- j -a (a = 1, 2,..., q) in sequence from a = 
1 to q. That is, it outputs 0 to multiplication operation 
transmitter 2003-j-l, 1 to multiplication operation 
transmitter 2003-j-2, i - 1 to multiplication operation 
transmitter 2003-j-i, and q - 1 to multiplication operation 
transmitter 2003-j -q. 

Multiplication operation transmitter 2003-j -a (a = 1, 
2,..., q) receives: the input Adj (or Bdj) to the term 
operation transmitter 1803-j-p (or 1804-j-p) (p = j +1, J + 
2, . . . , t) ; the random element from the random number 
generator 2001-j ; a corresponding finite field element a - 1 
from the finite field element generator 2002-j ; and the 
output B'd Pf j (or A'd p ,j) from the index operation transmitter 
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1901-p in the term operation receiver 1802-p-j (or 1801-p-j) 
of the other member holding temporary member ID d p (p = j + 1 
j + 2,..., t) via a secure channel 303. It then performs a 
calculation on these received data and outputs the result. 
The q outputs from the multiplication operation transmitters 
2003-j-a (a = 1, 2 q) are transmitted over secure 
channels 303 to the term operation receiver 1802-p-j (or 

1801- p-j) of the members holding temporary member IDs d p (p = 
j + 1 , j + 2,..., t) in ascending order of a. 

The output from the random number generator 2001-j will 
now be denoted Ddj #p (or Edj , p ) and the value received through 
the secure channel 303 will again be denoted B'd p# j (or A'd p# j) 
Multiplication operation transmitter 2003-j-a (a = 1, 2,..., 
q) receives a - 1 from the finite field element generator 
2002-j . The multiplication operation transmitter 2003-j-a 
performs the calculation in the following equations (46) (or 
(46')), (47) (or (47')), and (48) (or (48')) to obtain D'd p ,j, a 
(or E'd P/ j,a) which consists of the two values as shown in the 
above equation (45) (or (45') ) , and transmits these values 
over the secure channel 303 to the term operation receiver 

1802- p-j (or 1801-p-j) of the members holding temporary 



member IDs d p (p = j +1, j + 2 , . . . , t) in order of a = 1, 
2 , . . . , q . 

D'idp (j , a = g 1 ^ (46) 

E'id p ,j, a = g kBa (46') 

D' 2 dp, j(a = (Adj(a - 1) - Ddj, p ) (B'dp.j/h 3 ) 1 ^ (47) 

E'2dp, jf a = (Bd-j(a - 1) - Edj,p) (A'd p ,j/h a ) kBa (47') 

D'dp, j>a = (D'idp.j.. D' 2 d p ,j, a ) (48) 

E'dp.j,. = (E'xdp.j.a E' 2 d p>j , a ) (48') 

In the above equations, the values kA a (or kB a ) (a = 1, 
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2,..., q) are q random elements in the finite field. If the 
term operation receiver 1801-p-j of the member holding 
temporary member ID d p (p = j +1, j + 2,..., t) receives 
these outputs D'd Pr j, a or E'd P/ j #a via the secure channels 303, 
the member can decode the (a + l)-th value of the 
information D'd p ,j = D'dp,j, a ( E ' d p,j = E ' d p,j,a) given by a = 
B'd P/ j (or A'd p ,j) by using equation (45) ; the other received 
values of information appear as random numbers to the member 
holding temporary member ID d p . 

When the structures shown in FIGs . 20 to 23 are 
employed, the restriction given by the inequality (29) in 
the operation of the distributed multiplication units 1205- 
j-a, 1206- j -a can be eliminated, thereby widening the range 
of thresholds k' to k' < t. 

Operation of the fourth Embodiment 

The operation of the secret reconstruction method 
according to the fourth embodiment is substantially 
identical to that of the third embodiment, shown in the 
flowchart in FIG. 19. There is, however, a difference in the 
operation in step S1603 in FIG. 19. In the third embodiment, 
the distributed multiplication units 1205-j-a, 1206- j -a used 
for the calculation in step S1603 perform computations with 
the structure shown in FIG. 16, whereas in the fourth 
embodiment, they perform computations with the structure 
shown in FIG. 20. 

Effects of the Fourth Embodiment 

As described above, according to the fourth embodiment, 
as in the first to third embodiments, the original secret 
information S can be reconstructed without revealing the 
shares held secretly by the collected members to any other 
member or any third party. Accordingly, the shares held by 
the members can be reused the next time the secret 
information is reconstructed. In addition, these effects can 
be obtained without the need for a central secret 
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reconstruction facility. 

Further, in the fourth embodiment, in addition to 
obtaining the same effects as in the third embodiment, the 
following restriction of the threshold k' of the (k', t) 
threshold secret sharing scheme used for the sharing 
operation in the third embodiment can be eliminated: 

k' < (t + 1) /2 (29) 

whereby the range of thresholds k' can be widened to k' < t. 

Fifth Embodiment 
General Description 

In the above third embodiment, the distributed inverse 
element calculation unit 1203-j-a (j =1, 2,..., t, a = 1, 
2,..., t) shown in FIG. 15 comprises qt> - 1 distributed 
multiplication units 1501 as shown in FIG. 18. In the fifth 
embodiment described below, the number of distributed 
multiplication units 1501 in the distributed inverse element 
calculation unit 1203-j-a is reduced. 

The inputs to the distributed inverse element 
calculation unit 1203-j-a and to the other members' 
distributed inverse element calculation units 1203-p-a will 
again be denoted Aj and A p (p= 1, 2,..., t, p ^ j) , 
respectively. If the original secret information 
reconstructable from these t values A p (p = 1, 2,..., t) is 
denoted A, the distributed inverse element calculation unit 
1203-j-a calculates share Cj of the inverse element of A, 
i.e., C = A -1 , in the finite field GF (q) , which becomes the 
share for the member having temporary member ID dj . In the 
fifth embodiment, the distributed multiplication is 
performed on the value Aj (j = 1, 2 , . . . , t) input to the 
distributed inverse element calculation unit 1203-j-a by 
using a random element Bj (j =1, 2 , . . . , t) generated by each 
member, whereby the value Uj (j = 1, 2,..., t) , which is 



62 



I » 

F02RL0124 



generated by the distributed multiplication of this random 
element Bj , is revealed as a share of the original secret U 
while the input value Aj is kept "secret and then the original 
secret U is reconstructed. That is , the inverse element U 1 
of the original secret information U is calculated, and then 
the shares U -1 j of the inverse element U -1 are distributed to 
the other members. Each member obtains the required value Cj 
= A _1 j from the received share U~ 1 j and the random element Bj 
it generated itself. 

Structure of the Fifth Embodiment 

The structure embodying the secret reconstruction 
method of the fifth embodiment (secret reconstruction system 
according to the fifth embodiment) is the same as in the 
third embodiment except for a difference in the structure of 
the distributed inverse element calculation unit 1203-j-a (j 
= 1, 2,..., t, a = 1, 2,..., t). Therefore, only the 
structure of the distributed inverse element calculation 
unit 1203-j-a will be described below. 

The structure of the distributed inverse element 
calculation unit 1203-j-a (j = 1, 2, . . . , t, a = 1, 2, . . . , t) 
according to the fifth embodiment will be described with 
reference to FIGs. 24A and 24B. FIG. 24A illustrates the 
structure of the distributed inverse element calculation 
unit 1203-j-a (a = 1, 2,..., t) of a representative member 
selected from the collected members, where it is assumed 
that the representative member holds temporary member ID dj . 
The representative member may be selected in any way; for 
example, the member holding the smallest (or largest) 
temporary member ID may be the representative member. FIG. 
24B illustrates the structure of the distributed inverse 
element calculation unit 1203-i-a (a = 1, 2,..., t) of each 
member other than the representative member (the members 
holding temporary member IDs di, where i = 1, 2,..., t and i 

* j) • 
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First the distributed inverse element calculation unit 
1203- j -a of the representative member will be described with 
reference to FIG. 2 4A. As shown in FIG. 24A, the distributed 
inverse element calculation unit 1203-j-a of the 
representative member comprises: a random number generator 

2101- j ; a distributed multiplication unit 2102-j ; a 
distributed multiplication unit 2106-j ; a linear combination 
operation unit 2103-j ; an inverse element operation unit 
2104-j ; and a secret sharing operation unit 2105-j . The 
input Adj to the distributed inverse element calculation unit 
1203-j-a is input to the distributed multiplication unit 

2102- j together with the output from the random number 
generator 2101-j . The output from the distributed 
multiplication unit 2102-j is input to the linear 
combination operation unit 2103-j ; the output from the 
linear combination operation unit 2103-j is input to the 
inverse element operation unit 2104-j ; and the output from 
the inverse element operation unit 2104-j is input to the 
secret sharing operation unit 2105-j . The output from the 
secret sharing .operation unit 2105-j is input to the 
distributed multiplication unit 2106-j together with the 
output from the random number generator 2101-j . The output 
of the distributed multiplication unit 2106-j becomes the 
output from the distributed inverse element calculation unit 
1203-j-a of the representative member. 

The random number generator 2101-j generates and 
outputs a random element from values in a finite field GF (q) , 
and provides both distributed multiplication units 2102-j 
and 2106-j with the same random element. 

The distributed multiplication unit 2102-j receives the 
input Adj to the distributed inverse element calculation unit 
1203-j-a and the output from the random number generator 
2101-j as its inputs, performs a computation on these inputs 
using the information received through secure channels 303 
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similar to the ones in FIG. 3, and then outputs the result 
to the linear combination operation unit 2103-j . The 
distributed multiplication unit 2102-j in the fifth 
embodiment has the same structure as the distributed 
multiplication units 1205-j-a, 1206-j-a in FIG. 16 or the 
distributed multiplication units 1205-j-a, 1206-j-a in FIG. 
20. 

The linear combination operation unit 2103-j receives 
the output from the distributed multiplication unit 2102-j 
and the outputs from the other members' distributed 
multiplication units 2102-i (described in FIG. 24B below, 
where i = 1, 2,..., t and i j ) via secure channels 303, 
performs a linear combination operation, and outputs the 
result to the inverse element operation unit 2104-j . The 
linear combination operation unit 2103-j in the fifth 
embodiment has a structure similar to the linear combination 
operation unit 702-j in FIG. 9. If the output result from 
the distributed multiplication unit 2102-j is denoted Udj and 
the output results received from the other members' 
distributed multiplication units 2102-i via the secure 
channels 303 are denoted Udi (i = 1, 2,..., t, i ^ j ) , the 
linear combination operation unit 2103-j performs the 
calculations in the following equations (49) and (50) , which 
are similar to the above equations (25) and (26) , and 
outputs the result U to the inverse element operation unit 
2104-j . 

U = rdiUdi + rd 2 Ud 2 + . . - + rd t Ud t 




(49) 



p=l 



rd p = (di x d 2 x...x d t /d p ) 

/((di - dp) x (d 2 - dp) x...x (dp_i -dp) x 
(dp+i " dp) x. . .x (d t - dp) ) 
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t 

= f7 di / (di - dp) (50) 
i=l 



The inverse element operation unit 2104-j receives the 
output U from the linear combination operation unit 2103-j , 
calculates its inverse element U -1 , and outputs the result to 
the secret sharing operation unit 2105-j . The inverse of an 
element in the finite field GF (q) can be calculated by the 
following equation (51), in which the (q - 2)-th power of 
the element is calculated. 

U" 1 = u^ 2 (51) 

This calculation can also be carried out by using the 
Euclidean algorithm. 

The secret sharing operation unit 2105-j receives the 
output U 1 from the inverse element operation unit 2104-j , 
generates shares of the output U 1 , and distributes the 
shares to the other members through the secure channels 303. 
The secret sharing operation unit 2105-j in the fifth 
embodiment has a structure similar to the secret sharing 
operation unit 1302-j in FIG. 16. The secret sharing 
operation unit 2105-j generates polynomials f 4 (x) of degree 
k' - 1 as shown in the following equation (52) : 



f 4 (x) = U 1 + R 4 ,ix + R4,2* 2 + ...+ R 4 ,k'-i xk 1 



(52) 



where R4,i, R4 f 2, . . . , R4,k'-i are k' - 1 random elements 
selected from the finite field GF (q) . 

The secret sharing operation unit 2105-j calculates the 
share U -1 dp to be distributed to the member holding temporary 
member ID d p (p = 1 , 2,..., t) using the above equation (52) 
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as shown in the following equation (53) . 
U^dp = f 4 (d p ) 

= U" 1 + R 4 ,i(d p ) + R 4 , 2 (d p ) 2 +...+ R 4 ,k'-i(d p ) k '" 1 (53) 

The secret sharing operation unit 2105-j outputs the 
share U -1 dj it generated itself to the distributed 
multiplication unit 2106-j and distributes the other shares 
U _1 d p (p= 1, 2,..., t, P^j) to the other members via the 
secure channels 303. 

The distributed multiplication unit 2106-j receives the 
output from the random number generator 2101-j and the 
output U -1 dj from the secret sharing operation unit 2105-j as 
its inputs, performs a computation on these inputs using the 
information received through secure channels 303 similar to 
the ones in FIG. 3, and outputs the result of the 
computation. The distributed multiplication unit 2106-j in 
the fifth embodiment has a structure similar to the 
distributed multiplication units 1205-j-a, 1206-j-a in FIG. 
16 or the distributed multiplication units 1205-j-a, 1206-j- 
a in FIG. 20. As shown in FIG. 24A, the output of the 
distributed multiplication unit 2106-j becomes the output 
from the distributed inverse element calculation unit 1203- 
j-a. 

Next, the structure of the distributed inverse element 
calculation unit 1203-i-a (a = 1, 2,..., t) operated by each 
member (having temporary member ID di, where i = 1, 2,..., t, 
i ^ j ) other than the representative member will be 
described with reference to FIG. 24B. As shown in FIG. 24B, 
the distributed inverse element calculation unit 1203-i-a of 
each member other than the representative member comprises: 
a random number generator 2101-i; distributed multiplication 
units 2102-i, 2106-i; a revealed transmitter 2107-i; and a 
revealed receiver 2108-i. The output from the random number 
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generator 2101-i is input to the distributed multiplication 
unit 2102-i together with the input Adi to the distributed 
inverse element calculation unit 1203-i-a of each member 
other than the representative member, and is also input to 
the distributed multiplication unit 2106-i. The output from 
the distributed multiplication unit 2102-i is input to the 
revealed transmitter 2107-i. The output from the revealed 
receiver 2108-i is input to the distributed multiplication 
unit 210 6-i together with the output from the random number 
generator 2101-i. The output of the distributed 
multiplication unit 2106-i corresponds to the output from 
the distributed inverse element calculation unit 1203-i-a of 
each member other than the representative member. 

The random number generator 2101-i in FIG. 24B has the 
same structure and operation as the random number generator 

2101- j in FIG. 24A. The distributed multiplication units 

2102- i, 2106-i in FIG. 24B also have the same structure and 
operation as the distributed multiplication units 2102-j , 
2106-j in FIG. 24A. 

The revealed transmitter 2107-i receives the output 
from the distributed multiplication unit 2102-i, and 
transmits it to the representative member over a secure 
channel 303. If the output from the distributed 
multiplication unit 2102-i is denoted Udi, the revealed 
transmitter 2107-i (i = 1, 2,..., t, i^j) of each member 
other than the representative member transmits the output Udi 
to the linear combination operation unit 2103-j of the 
representative member over the secure channel 303, so the 
linear combination operation unit 2103-j of the 

representative member receives t - 1 values Udi (i = 1/ 2, . . . , 
t , i * j ) in all . 

The revealed receiver 2108-i receives U _1 di from the 
secret sharing operation unit 2105-j of the representative 
member via a secure channel 303, and sends it to the 
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distributed multiplication unit 2106-i. 

The distributed multiplication unit 2106-i receives the 
output from the random number generator 2101-i and the 
output from the revealed receiver 2108-i as its inputs, 
performs. a computation on these inputs using the information 
received through secure channels 303 similar to the ones in 
FIG. 3, and outputs the result. The distributed 
multiplication unit 2106-i in the fifth embodiment has a 
structure similar to the distributed multiplication units 
1205-j-a, 1206-j-a in FIG. 16 or the distributed 
multiplication units 1205-j-a, 1206-j-a in FIG. 20. As shown 
in FIG. 24B, the output of the distributed multiplication 
unit 2106-i becomes the output from the distributed inverse 
element calculation unit 1203-i-a of each member other than 
the representative member. 

As described above, the structure in FIGs . 24A and 24B 
can reduce the number of the distributed multiplication 
units in the distributed inverse element calculation unit 
1203-i-a and simplify the operation. 

Operation of the Fifth Embodiment 

The operation of the secret reconstruction method 
according to the fifth embodiment is substantially identical 
to the operation of the third embodiment described in the 
flowchart in FIG. 19, but there is a difference in the 
operation in step S1603 shown in FIG. 19. In the distributed 
inverse element calculation unit 1203-i-a of the third 
embodiment, the computation in step S1603 is performed with 
the structure shown in FIG. 18, but in the fifth embodiment, 
it is performed with the structure shown in FIG. 24A or FIG. 
24B. 

Effects of the Fifth Embodiment 
As described above, according to the fifth embodiment, 
as in the first to third embodiments, the original secret 
information S can be reconstructed without revealing the 
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shares held secretly by the collected members to any other 
member or any third party. Accordingly, the shares held by 
the members can be reused the next time the secret 
information is reconstructed. In addition, these effects can 
be obtained without the need for a central secret 
reconstruction facility . 

Further, according to the fifth embodiment, in addition 
to obtaining the same effects as in the above third 
embodiment, the number of distributed multiplication units 
in the distributed inverse element calculation unit 1203-j-a 
(j =1, 2,..., t, a = 1, 2,..., t) used in the third 
embodiment can be greatly reduced. 

Modifications 
Modification of the First Embodiment 

In the first embodiment, any two of the collected 
members have a secure channel over which they can 
communicate without revealing the content of their 
communication to any of the other members. Since the 
summation secret sharing scheme is employed as a secret 
sharing scheme based on the multiparty protocol, however, 
even a person who eavesdrops on all channels cannot 
reconstruct the secret information. Therefore, secure 
channels are not necessarily required. Insecure channels, at 
risk to wiretapping and other forms of interception, may 
therefore also be used. 

Modification of the Second Embodiment 

In the description of the second embodiment, each of 
the secret sharing operation unit 701-j in the distributed 
secret reconstruction operation unit 601-j and secret 
reconstruction operation unit 602 generates shares and 
reconstructs secret information by using the (k', t) 
threshold secret sharing scheme, but the summation secret 
sharing scheme may also be used in place of this scheme. In 
this case, in the secret reconstruction operation unit 602, 
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the following equation (54) is used in place of the above 
equations (22) and (4) . 

S = Sm'x + Sm' 2 + ...+ Sm' t = ^ Sm' j (54) 

j=l 

In addition, instead of using the above equations (23) 
and (24) used in the computing operation in the secret 
sharing operation unit 701-j , the shares Xm'j rP are obtained 
as follows: first, t - 1 random elements are selected from 
the finite field and assigned to the shares Xm'j rP (p = 1 , 
2, . . . , t - 1) ; then share Xm'j ft is obtained from the 
following equation (55) . 

Xm' j#t = Xm'j - (Xm'j,i + Xm' j#2 + ...+ Xm' jft -i) (55) 

Modification of the Third Embodiment 
In a modification of the third embodiment, the term 
calculation unit 1101-j-a has the structure shown in FIG. 25 
instead of the structure shown in FIG. 15. In FIG. 15, the 
distributed multiplication units 1205-j-a, 1206-j-a 
performed a multiplication operation on the input Xm' a/ j to 
the term calculation unit 1101-j-a, the output from the 
distributed inverse element calculation unit 1203-j-a, and 
the output from the distributed multiplication unit 1204-j-a 
in a sharing operation. It is possible, however, to replace 
the distributed multiplication units 1205-j-a, 1206-j-a in 
FIG. 15 with one distributed multiplication unit 1207-j-a 
having three inputs as shown in FIG. 25. This distributed 
multiplication unit 1207-j-a performs distributed 
multiplication on the three inputs, and is embodied by the 
same structure as the distributed multiplication units 1202- 
j-a and 1204-j-a (by letting t - 1 = 3) . 

In the third embodiment as shown in FIG. 17, the 
distributed multiplication units 1202-j-a, 1204-j-a are 
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constructed so as to perform distributed multiplication on 
the inputs A in order of their subscripts (Ai, A 2 , . . . , A< t -i)) 
It is not necessary, however, for the distributed 
multiplication to follow this order; the order is permutable 
Modification of the Fourth Embodiment 
FIG. 26 is a block diagram illustrating the structure 
of the ij-term calculation unit 1702- j according to a 
modification of the fourth embodiment of the invention. In 
the fourth embodiment, since it is possible to eliminate the 
restriction given by inequality (29) on the. threshold k' of 
the (k', t) threshold secret sharing scheme used in the 
secret reconstruction method according to the third 
embodiment, the summation secret sharing scheme can be used 
in place of the (k', t) threshold secret sharing scheme. The 
secret sharing scheme used in the sharing operation can be 
modified into the summation secret sharing scheme by 
modifying the computations performed in the secret sharing 
operation unit 1001-j of the distributed secret 
reconstruction operation unit 902-j and the secret 
reconstruction operation unit 903, and modifying both the 
computational operation and structure of the jj-term 
calculation unit 1701-j in the distributed multiplication 
units 1205-j-a, 1206-j-a. Instead of obtaining the shares 
Xm'j, p from the above equations (29') and (30), the operation 
of the secret sharing operation unit 1001-j of the 
distributed secret reconstruction operation unit 902-j is 
modified as follows: first, t - 1 random elements are 
selected from the finite field and assigned to the shares 
Xm 'j,P (p - If 2,.. ., t - 1) , and a final share Xm'j /t is 
obtained from the following equation (56) . 

Xm' j#t = Xm'j - (Xm' j# x + Xm' jr2 +-..+ Xm' j/t -i) (56) 
Second, the above equations (27) and (28) used in the 
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computation in the secret reconstruction operation unit 903 
are changed to the following equation (57) . 

t 

S = Sdi + Sd 2 +...+ Sd t = S sdj (57) 

j=l 

Third, in the fourth embodiment as shown in FIG. 21, 
the computation in the ij-term calculation unit 1702- j of 
the distributed multiplication units 1205-j-a, 1206-j-a is 
performed so that the two inputs Adj , Bdj to the distributed 
multiplication units 1205-j-a or 1206-j-a are received and 
multiplied together, and the product is multiplied by the 
coefficient rdj calculated by the equation (41) . In the 
modification of the fourth embodiment, however, as shown in 
FIG. 26, the distributed multiplication units 1205-j-a, 
1206-j-a are constructed so as to eliminate the 
multiplication by the coefficient rdj. That is, in the 
modification of the fourth embodiment, the coefficient 
multiplication units 1806-j-i (i=l, 2,..., j - 1 , j + 
1, . . . , t) shown in FIG. 21 are removed and Adj x Bdj is 
output as the result. 

Modification of the Fifth Embodiment 

FIGs. 27A and 27B are block diagrams illustrating 
structures of distributed inverse element calculation units 
1203-j-a and 1203-i-a, respectively, according to the 
modification of the fifth embodiment of the present 
invention. In the fifth embodiment, the restriction given by 
inequality (29) on the threshold k' of the (k', t) threshold 
secret sharing scheme used in the sharing operation in the 
secret reconstruction method according to the third 
embodiment is eliminated. Consequently, the summation secret 
sharing scheme can be used in place of the (k', t) threshold 
secret sharing scheme. This modification can be made by 
modifying the structure of the distributed inverse element 
calculation units 1203-j-a and 1203-i-a shown in FIGs. 24A 
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and 24B to the structure shown in FIGs . 27A and 27B, in 
addition to the above-described modifications of the fourth 
embodiment, i.e., the modifications of the computing 
operations in the secret sharing operation unit 1001-j of 
the distributed secret reconstruction operation unit 902-j , 
secret reconstruction operation unit 903, and jj-term 
calculation unit 1701-j of the distributed multiplication 
units 1205-j-a, 1206-j-a, and the modification of the 
structure of the ij-term calculation unit 1702-j . The linear 
combination operation unit 2103-j is modified to a t-term 
adder 2109-j , and the computing operation in the secret 
sharing operation unit 2105-j is also modified. Since the 
operation in the secret sharing operation unit 2105-j is 
changed, its reference characters have been changed to 2110- 
j . The t-term adder 2109-j receives the output from the 
distributed multiplication unit 2102-j and the outputs from 
the other members' distributed multiplication units 2102-i 
(i — 1, 2,..., t, i 5* j) via secure channels 303 similar to 
the ones in FIG. 3, adds all of them, and outputs the result 
to the inverse element operation unit 2104-j . If the output 
from the distributed multiplication unit 2102-j is denoted 
Udj and the outputs received from the other members ' 
distributed multiplication units 2102-i via the secure 
channels 303 are denoted Udi (i = 1, 2,..., t, i^j), 
whereas the linear combination operation unit 2103-j 
performed the computing operation using the equations (49) 
and (50) , the t-term adder 2109-j calculates the quantity U 
in the following equation (58) and outputs U to the inverse 
element operation unit 2104-j . 



p=l 

The secret sharing operation unit 2110-j , the operation 
of which is modified from that of the secret sharing 




(58) 
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» 

operation unit 2105-j , receives the output U" 1 from the 
inverse element operation unit 2104-j , generates shares from 
this output U _1 , and distributes them to the other members 
through the secure channels 303. Whereas the secret sharing 
operation unit 2105-j performed the calculation in equations 
(52) and (53) to obtain the shares U" 1 d p (p = 1 , 2,..., t) , 
the secret sharing operation unit 2110-j obtains the shares 
U -1 dp as follows: first, t - 1 random elements are selected 
from the finite field GF (q) and assigned to shares U" 1 d p (p = 
1, 2 , . . . , t - 1); then a final share U _1 d t is obtained from 
the following equation (59) . 

U _1 d t 

= iT 1 - (U"* 1 d 1 + U _1 d2 + ...+ U^dt-i) (59) 

Other Modifications 
In the distributed multiplication units 1205- j -a , 1206- 
j-a of the fourth embodiment and the modification thereof 
described above, similar effects can also be obtained with a 
structure in which: (1) the term operation receivers 1801-j- 
p (p = 1 , 2 , . . . , j - 1) are replaced by term operation 
transmitters, and the term operation transmitters 1804- j-p 
(p = j +1, j +2,..., t) by term operation receivers; (2) 
the term operation receivers 1802-j-p (p = 1, 2,..., j - 1) 
are replaced by term operation transmitters , and the term 
operation transmitters 1803-j-p (p = j +1, j +2,..., t) by 
term operation receivers; or (3) all of the term operation 
receivers are replaced by term operation transmitters, and 
vice versa. 

Further, in the distributed multiplication units 1205- 
j-a, 1206-j-a of the fourth embodiment and its modification 
described above, the information exchanged between the term 
operation receivers 1801-j-p (or 1802-j-p) and the term 
operation transmitters 1804-p-j (or 1803-p-j) via the secure 
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channels 303 is analogous to encrypted information as shown 
inequations (44) (or (44')) and (46) to (48) (or (46') to 
(48') ), in which information to be transmitted is concealed 
on the basis of the difficulty of computing discrete 
logarithms modulo q. Therefore, secret communication is not 
necessarily required. In the equation (44) (or (44') ) , the 
information Adj (or Bdj) to be transmitted is concealed as a 
power of the generator h in the finite field, and necessary 
information Adj (a - 1) - Ddj, p (or Bdj (a ~ 1) - Edj /P ) to be 
obtained from the equations (46) to (48) cannot be obtained 
without knowing the random element rB P/ j (or rA p ,j) used in 
equation (44') (or (44)). Accordingly, in the above- 
described communication, non-secure channels, such as 
broadcast-type channels or channels at risk of wiretapping, 
may be used. 

In the distributed inverse element calculation unit 
1203-j-a of the fifth embodiment and its modification 
described above, the operations in the linear combination 
operation unit 2103-j (and t-term adder 2109-j), inverse 
element operation unit 2104-j , and secret sharing operation 
unit 2105-j (2110-j) in the distributed inverse element 
calculation unit 1203-j-a of the representative member may 
be performed instead by a central facility that performs the 
operations of collecting the outputs from the other members' 
distributed multiplication units 2102-i, performing a linear 
combination operation (summation) on them, obtaining the 
inverse element of the result, sharing the resulting inverse 
element, and distributing the generated shares to the other 
members. In this case, the linear combination operation 
units 2103-j -a of all collected members may have the 
structure shown in FIG. 24B. 

In the distributed inverse element calculation unit 
1203-j-a of the fifth embodiment and its modification 
described above, information is exchanged between the 
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representative member's linear combination operation unit 
2103-j (and the t-term adder 2109-j) and the secure channels 
303 (or between the other members' revealed transmitters 
2107-i and the secure channels 303) and between the 
representative member's secret sharing operation unit 2105-j 
and the secure channels 303 (or between the other members' 
revealed receivers 2108-i and the secure channels 303) , not 
necessarily by secret communication. Therefore, broadcast- 
type channels or channels at risk of wiretapping may be also 
used. 

In the above first to fifth embodiments, a 'member' was 
described as a device with computing and memory facilities, 
but the secret reconstruction method according to the 
present invention can also be carried out by a plurality of 
human members who gather with their shares . 

Further, as described in effects of the first to third 
embodiments, the first to fifth embodiments provide an 
authentication scheme that can determine whether all members 
(devices) in a group comprising a plurality of collected 
members are valid members or not, thereby determining 
whether they are the members to whom the shares of the 
secret information S were previously distributed or not. In 
this case, the original secret information S is used as 
reference secret information or registered information that 
is compared with the reconstruction result to decide if the 
authentication is valid or not, so the original secret 
information S does hot have to be kept secret from the 
members . 

Those skilled in the art will recognize that further 
variations are possible within the scope of the invention, 
which is defined in the appended claims. 
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